Estimating Speed of Scanning Activities with a Hough Transform

In this paper, we propose a method to detect scanning activities in darknet traffic and to estimate their speed of change in time and feature space (e.g., destination address, source port, or destination port). The main idea of the algorithm relies on an image processing technique applied to a two-dimensional image that represents unwanted traffic. Thus, on the two-dimensional image, packets are represented as pixels in the time and feature coordinates, and unwanted activity as a set of pixels. The use of a Progressive Probabilistic Hough Transform (PPHT) that is a known technique to detect edges in an image enables us to detect such unwanted activities as ``lines´´ in a traffic trace. We apply our method to darknet traffic traces for three years to investigate the property of such unwanted activities. Our main findings are following: In destination IP address space we confirmed typical host scanning speeds (i.e., a slanted line in the image) although the most of activities are characterized by intensive scans to a specific host (i.e., a horizontal line). Also, we confirmed few port scanning over wide destination port space, meaning that a targeted port attack is dominant in the current network. On the other hand, the consecutive change of source port was also observed; those activities are not tracked by other features. We obtain that 80-90% of unique source IP addresses appeared in the trace is confirmed by this method. Thus, most unwanted activities is still characterized by some kind of trajectory to be detected in packet feature space, though the rest of them behaves like ``noise´´.