A Statistical Approach for Fingerprinting Probing Activities

Probing is often the primary stage of an intrusion attempt that enables an attacker to remotely locate, target, and subsequently exploit vulnerable systems. This paper attempts to investigate whether the perceived traffic refers to probing activities and which exact scanning technique is being employed to perform the probing. Further, this work strives to examine probing traffic dimensions to infer the `machinery´ of the scan, whether the probing activity is generated from a software tool or from a worm/bot net and whether the probing is random or follows a certain predefined pattern. Motivated by recent cyber attacks that were facilitated through probing, limited cyber security intelligence related to the mentioned inferences and the lack of accuracy that is provided by scanning detection systems, this paper presents a new approach to fingerprint probing activity. The approach leverages a number of statistical techniques, probabilistic distribution methods and observations in an attempt to understand and analyze probing activities. To prevent evasion, the approach formulates this matter as a change point detection problem that yielded motivating results. Evaluations performed using 55 GB of real dark net traffic shows that the extracted inferences exhibit promising accuracy and can generate significant insights that could be used for mitigation purposes.