A Network Activity Classification Schema and Its Application to Scan Detection

Internet traffic is neither well-behaved nor well-understood, which makes it difficult to detect malicious activities such as scanning. A large portion of scanning activity is of a slow scan type and is not currently detectable by security appliances. In this proof-of-concept study, a new scan detection technique is demonstrated that also improves our understanding of Internet traffic. Sessions are created using models of the behavior of packet-level data between host pairs, and activities are identified by grouping sessions based on patterns in the type of session, the IP addresses, and the ports. In a 24-h data set of nearly 10 million incoming sessions, a prodigious 78% were identified as scan probes. Of the scans, 80% were slower than basic detection methods can identify. To manage the large volume of scans, a prioritization method is introduced wherein scans are ranked based on whether a response was made and on the periodicity of the probes in the scan. The data is stored in an efficient manner, allowing activity information to be retained for very long periods of time. This technique provides insight into Internet traffic by classifying known activities, giving visibility to threats to the network through scan detection, while also extending awareness of the activities occurring on the network.