Characterising the Evolution in Scanning Activity of Suspicious Hosts

The early detection of multistage attacks like DDoS and coordinated spamming poses a major challenge for existing counter-measures based on reactive blacklists. One approach to addressing this challenge would be to profile hosts that engage in scanning activity and predict their future actions. However, this requires understanding how hosts evolve their scanning behaviour. In order to address this issue we have analysed logs from the DShield repository of globally distributed IDS alerts corresponding to the first 15 days of January 2005. We first clustered hosts using similarities in the spatial breadth (targeted DShield subscribers) and depth (targeted destination ports) of their scanning activity during aggregation intervals of one day at a time. We then analysed temporal properties like popularity, volatility, lifetime and transition of these clusters to infer how they evolved over time. We found persistent clusters with stable sizes. However, they were highly volatile with a consistent turn-over of hosts everyday. This was caused by the lifetime of hosts in each cluster mostly being one day. Nevertheless, we came across a non-trivial number of hosts that appeared everyday while belonging to the same cluster or transitioning from one cluster to another. Based on these findings, it is plausible that suspicious hosts can be profiled for long periods of time to predict an imminent multistage attack.