On fingerprinting probing activities

Motivated by recent cyber attacks that were facilitated through probing, limited cyber security intelligence and the lack of accuracy that is provided by scanning detection systems, this paper presents a new approach to fingerprint probing activity. It investigates whether the perceived traffic refers to probing activities and which exact scanning technique is being employed to perform the probing. Further, this work strives to examine probing traffic dimensions to infer the ‘machinery’ of the scan; whether the probing is random or follows a certain predefined pattern; which probing strategy is being employed; and whether the probing activity is generated from a software tool or from a worm/bot. The approach leverages a number of statistical techniques, probabilistic distribution methods and observations in an attempt to understand and analyze probing activities. To prevent evasion, the approach formulates this matter as a change point detection problem that yielded motivating results. Evaluations performed using 55 GB of real darknet traffic shows that the extracted inferences exhibit promising accuracy and can generate significant insights that could be used for mitigation purposes.