Port Scanning Research Articles

Penerapan Honeypot Sebagai Sistem Keamanan Server Berbasis Linux

The application of honeypot as a linux-based server security system can help secure servers, can help detect attacks that occur on computer networks, and display the results of attacks that occur in logs stored on cowrie honeypots. With the existence of a honeypot, it can be used as a distraction from the attacker and is able to take information about the attack that occurred and the information of the attacker. Honeypot is implemented into a system that becomes a dummy system with the aim of attracting attention, detecting, and examining attacks that occur and are carried out by attackers. Based on the tests that have been carried out, it can be concluded that the application of honeypot in the linux-based server security system at SMK Negeri 3 Bengkulu is able to manipulate ports such as ports 22 and 23, so that it can avoid and secure ports from attacks such as ping of death which was tested using the LOIC, SSH, Telnet applications, port scanners which were tested using the advanced port scanner application, which is stored in the Cowrie Honeypot logs.

The VNF Cybersecurity Dataset for Research (VNFCYBERDATA)

Virtualisation has received widespread adoption and deployment across a wide range of enterprises and industries throughout the years. Network Function Virtualisation (NFV) is a technical concept that presents a method for dynamically delivering virtualised network functions as virtualised or software components. Virtualised Network Function (VNF) has distinct advantages, but it also faces serious security challenges. Cyberattacks such as Denial of Service (DoS), malware/rootkit injection, port scanning, and so on can target VNF appliances just like any other network infrastructure. To create exceptional training exercises for machine or deep learning (ML/DL) models to combat cyberattacks in VNF, a suitable dataset (VNFCYBERDATA) exhibiting an actual reflection, or one that is reasonably close to an actual reflection, of the problem that the ML/DL model could address is required. This article describes a real VNF dataset that contains over seven million data points and twenty-five cyberattacks generated from five VNF appliances. To facilitate a realistic examination of VNF traffic, the dataset includes both benign and malicious traffic.

Design and implementation of anti-mapping security access technology based on illegal scanning

Abstract In the current field of information security, illegal network scanning activities are prevalent, and such behaviors are usually aimed at detecting security vulnerabilities in network systems and preparing for future attack activities. This study proposes a secure access system based on anti-mapping technology, which aims to effectively block illegal scanning behaviors while ensuring that the normal access of legitimate users is not affected. The system integrates advanced behavioral analysis algorithms that utilize machine learning techniques for deep learning and pattern recognition of network traffic, and is able to accurately distinguish between normal user activities and malicious scanning attempts. At the core of the system is a set of dynamic adaptive identification mechanisms that update the detection algorithms in real time to adapt to emerging scanning techniques and attack strategies by continuously learning from changes in network traffic. In addition, the system employs role-based access control (RBAC) policies to enhance the protection of sensitive resources. The Secure Access Gateway is deployed at the boundary of the network to monitor and filter all ingress traffic, effectively intercepting unauthorized scanning activities by comprehensively evaluating the source, behavior and frequency of traffic. Experimental results show that the proposed two-layer network structure performs well in detecting common threats such as port scanning, DDoS attacks, and SQL injections, with an accuracy rate of over 95%. Especially for complex and covert APT (advanced persistent threat) attacks, the system can significantly reduce the false alarm rate and effectively improve the detection speed. However, when dealing with some highly customized malware, the system’s recognition ability still needs to be improved, which indicates that future research needs to focus more on enhancing the ability to learn and adapt to unknown threats.

Implementation of a Network Security System Using the Port Knocking Method at Taruna Satria Vocational School Pekanbaru

SMK Taruna Satria Pekanbaru utilizes its network for teaching and school administration activities. However, security issues have led to incidents where intruders gained access to the MikroTik webfig and altered configurations, such as changing hotspot passwords and adding unauthorized user profiles. Initial data shows that the network experienced up to a 30% performance drop due to illegal access, with a high potential for attacks, especially on HTTP (80), SSH (22), Telnet (23), and Winbox (8291) ports if left open. To address these issues, the Port Knocking method was implemented, which hides ports and only allows access to users who knock on the ports in a specific sequence. Legitimate users must knock on the ports in a designated order to activate access, which then adds their IP address to the whitelist. Access to services is granted only if the correct knocking sequence is followed within a specific timeframe. Testing through simulations of Port Scanning, brute force, and DDoS attacks has demonstrated this method’s effectiveness in hiding ports from scanning detection and reducing brute force and DDoS attack risks. Although effective, this method relies on accurate configuration patterns. Implementing Port Knocking is expected to enhance network security and reduce unauthorized access risks at SMK Taruna Satria Pekanbaru.

APT-scope: A novel framework to predict advanced persistent threat groups from enriched heterogeneous information network of cyber threat intelligence

Addressing the expanding Advanced Persistent Threat (APT) landscape is crucial for governments, enterprises and threat intelligence research groups. While defenders often rely on tabular formats for assets like logs, alerts, firewall rules; attackers leverage a graph-based mindset. In this work, we propose a novel multistage framework named APT-Scope which employs a comprehensive approach to Cyber Threat Intelligence (CTI) analysis on qualified real-world data. APT-Scope workflow consists of data gathering, enrichment, and analysis stages, where relationships between entities are used to construct a Heterogeneous Information Network (HIN). We applied CTI enrichment using additional active data collection techniques like DNS and Whois lookups, port scans, SSL footprinting, named entity recognition via SpaCy, and constructed a machine learning pipeline to predict relationships between entities using FastRP and Logistic Regression. By analyzing the resulting HIN, we discovered aliases for APT groups and predicted threat actors of APT attacks with unknown perpetrators. We observed AUCPR metrics as train score = 96.57% and test score = 92.36%. Our work is beneficial to oversee the entire APT landscape, steer ongoing and future CTI operations and make strategic decisions.

Identification of digital device hardware vulnerabilities based on scanning systems and semi-natural modeling

Objectives. The development of computer technology and information systems requires the consideration of issues of their security, various methods for detecting hardware vulnerabilities of digital device components, as well as protection against unauthorized access. An important aspect of this problem is to study existing methods for the possibility and ability to identify hardware errors or search for errors on the corresponding models. The aim of this work is to develop approaches, tools and technology for detecting vulnerabilities in hardware at an early design stage, and to create a methodology for their detection and risk assessment, leading to recommendations for ensuring security at all stages of the computer systems development process.Methods. Methods of semi-natural modeling, comparison and identification of hardware vulnerabilities, and stress testing to identify vulnerabilities were used.Results. Methods are proposed for detecting and protecting against hardware vulnerabilities: a critical aspect in ensuring the security of computer systems. In order to detect vulnerabilities in hardware, methods of port scanning, analysis of communication protocols and device diagnostics are used. The possible locations of hardware vulnerabilities and their variations are identified. The attributes of hardware vulnerabilities and risks are also described. In order to detect vulnerabilities in hardware at an early design stage, a special semi-natural simulation stand was developed. A scanning algorithm using the Remote Bitbang protocol is proposed to enable data to be transferred between OpenOCD and a device connected to the debug port. Based on scanning control, a verification method was developed to compare a behavioral model with a standard. Recommendations for ensuring security at all stages of the computer systems development process are provided.Conclusions. This paper proposes new technical solutions for detecting vulnerabilities in hardware, based on methods such as FPGA system scanning, semi-natural modeling, virtual model verification, communication protocol analysis and device diagnostics. The use of the algorithms and methods thus developed will allow developers to take the necessary measures to eliminate hardware vulnerabilities and prevent possible harmful effects at all stages of the design process of computer devices and information systems.

Secured and Decentralized System for e-voting with Hybrid Cryptography and Blockchain

Electronic voting is an efficient way of conducting the voting process, which has the characteristics of real-time massive data which demands high security. In this paper, we propose a novel approach for electronic voting that utilizes decentralized network architecture with Blockchain and Hybrid cryptography techniques. Our system aims to address the challenges faced in administering EVMs and ensuring high security in strong rooms, which can lead to privacy and security flaws in the voting system. Our proposed model utilizes a wireless mesh topology to enlist vote details and modernize the chain of blocks, resulting in improved data confidentiality and reduced human resources. A customized UDP packet structure is designed to avoid port scanning and network traces, while the use of port numbers is eliminated for increased security. We also incorporate a three-layer encryption stack for secure key exchanges, which ensures perfect forward secrecy and an uncompromised state of the packet. By reducing the number of threads needed for Transport layer Protocol (TCP) connections; our proposed model improves the speed and security of the existing architecture. Overall, our approach offers a highly secure and efficient electronic voting system that meets the demands of secrecy, accuracy, and neutrality in the process of voting and counting. Our proposed system has the potential to prevent poll rigging by trespassers, ensuring a fair and trustworthy electoral process.

Analysis of features of implementing a “Port scanning” attack using a “Zombie” computer

Analysis of features of implementing a “Port scanning” attack using a “Zombie” computer

Network Traffic Classification Against Adversarial Attacks Based Deep Learning

Background: Cybersecurity is a prominent concern in today's interconnected world, encompassing both local and remote wireless and wired access across diverse communication technology platforms. It is important to recognize the threat posed by hackers who are currently compromising organizational functionalities, bypassing security measures, and stealing hypersensitive information. Common hacking techniques such as Portscan, Distributed Denial of Service (DDoS) attacks, and the use of Botnets, are frequently utilized by hackers. Materials and Methods: The authors explore the advantages of using Machine Learning (ML) to classify attacks such as Port Scanning, DDoS, Botnet, and Botnet-Attempt in a mixture of both benign and attack traffic. They use various Artificial Neural Networks (ANN) structures, each having distinct properties, to train and test on a benchmark dataset (CICIDS2017). The aim is to identify the most effective ANN model and the optimal number of input features required to classify data that contains events of Portscan, DDoS, Botnet, and Botnet-Attempt attacks. Results: Various features are used as inputs for an ML model with single and multiple hidden layers, each with different neurons, to evaluate their impact on classification accuracy using a Python language. The best accuracy obtained is 99.71%, achieved by using all features of the dataset and 4 hidden layers, while the accuracy obtained using only 7 features is 97.6%. Conclusion: ANN models can perform well in classifying network traffic against adversarial attacks by using an optimal combination of features as input and hidden layers.

IDENTIFICATION OF ASSOCIATIVE RULES IN THE BEHAVIOUR OF AUTOMATED SYSTEMS INFORMATION SECURITY INTRUDERS

An approach based on the use of one of the varieties of affinity analysis – associative rule search, which allows to identify associative rules in the use of various methods of port scanning and operating system characterization by intruders of information security of automated systems is proposed. The mechanism of associative rule search using the scalable apriori algorithm is described. The basic concepts and an example of application of this mechanism with calculation of necessary characteristics such as support, confidence and lift were considered. The obtained associative rules will enable information protection specialists to be better oriented in the nature of actions of information security violators of automated systems and will become the basis for making informed managerial decisions on improving the existing or building a new information protection system, more effective response to information security incidents.

Development a data mining techniques to detect and prevention cyber attack for cybersecurity

The identification and forecasting of cyber-attacks is crucial process. In this article, we describe a paradigm for cyber security that makes use of data mining to forecast cyberattacks and identify appropriate countermeasures. The framework’s two primary elements are the surveillance and prevention of cyberattacks. The system constructs a predictive model to forecast future cyberattacks after first extracting appropriate timing with cyberattacks from previous data that used a decision tree based on the J48 algorithm. A variety of cyber-attacks, involving DDoS, port scans, and SQL Injection, are described in the datasets. The suggested framework effectively recognizes cyberattacks and gives patterns associated with them. The suggested predictive algorithm for identifying cyberattacks has a 99% average prediction performance. The predictions model’s test outcomes demonstrate how effective it is at spotting potential cyberattacks in the future. Moreover, solutions like malware detection and monitoring were provided using data mining. Given the state of computer networks today Users of computer networks ought to take security very seriously. In this article, implications of data mining for risk evaluation and identification were highlighted, along with a unique method for quickly and accurately detecting malware.

Detection using Intrusion Detection System (IDS) and SMS Gateway Controller

Intrusion Detection System and SMS controller with Snort using SMS Gateway on public networks. The need for an attack detection system that can assist administrators in monitoring the network, so that administrators can cope with threats quickly and the network can operate optimally again, the purpose of this study is to facilitate network administrators in preventing and detecting attacks. this has been tested against ping of death attacks, sql injection, sysflooding attacks and port scanning. From the results of testing the system that has been tested, the system has been able to detect and prevent it quickly via SMS controller integrated with gammu as an sms gateway, as for information sent to the network administrator in the form of attack alerts in real time via SMS, the result of attack detection in the form of 4 (four) types of information, namely attack time, attack type, destination IP, and source IP. Blocking attacks is done by sending blocking commands via an sms controller that is integrated with php scripts, bash scripting and iptables, blocking attacks successfully executed after the gammu server receives an SMS reply from the network administrator in an average period of 40 seconds.

Asynchronous Record Alignment of Network Flows for Incident Detection and Reconstruction

In today's interconnected digital landscape, the distribution of cyber threats presents a significant challenge to cyber security. Moreover, as of 2016, the amount of data in the world exceeds one zettabyte. Because of this, evidence-based network flow analytics is a critical component of modern network management and security. Problems such as anomalies in the network flow, cyber security incidents, alert generation, data pre-processing, network monitoring, network flow complexity, and data flow patterns become difficult to detect in massive network data flows. These specific problems can be addressed using Packet capture (PCAP). PCAP analysis is a standard network forensics process and investigation for assessing network behaviour and identifying anomalies. This work presents a method for analysing network flows for probable alignment of asynchronously recorded communications in heterogeneous networks. Using a proposed method for alignment, we can identify the relevant recordings aligned over two data streams for faster and more conclusive incident analysis. We use synthetic network incident scenarios for research experiments, detailing the generation of cyber event data and impact on cloud network traffic, followed by in-depth PCAP analysis. The automated cyber-attacks are simulated within a network infrastructure generating network flows in a PCAP format. Simulated cyber-attacks range from standard port scans, service scans, and specific scenarios like SQL injection, phishing, DoS or DDoS. We define analysis objectives and criteria for the in-depth PCAP analysis and alignment. The evidence gathered showcases valuable information about network data flow and its behaviour.

Detecting and mitigating security anomalies in Software-Defined Networking (SDN) using Gradient-Boosted Trees and Floodlight Controller characteristics

Cutting-edge and innovative software solutions are provided to address network security, network virtualization, and other network-related challenges in highly congested SDN-powered networks. However, these networks are susceptible to the same security issues as traditional networks. For instance, SDNs are significantly vulnerable to distributed denial of service (DDoS) attacks. Previous studies have suggested various anomaly detection techniques based on machine learning, statistical analysis, or entropy measurement to combat DDoS attacks and other security threats in SDN networks. However, these techniques face challenges such as collecting sufficient and relevant flow data, extracting and selecting the most informative features, and choosing the best model for identifying and preventing anomalies. This paper introduces a new and advanced multi-stage modular approach for anomaly detection and mitigation in SDN networks. The approach consists of four modules: data collection, feature selection, anomaly classification, and anomaly response. The approach utilizes the NetFlow standard to gather data and generate a dataset, employs the Information Gain Ratio (IGR) to select the most valuable features, uses gradient-boosted trees (GBT), and leverages Representational State Transfer Application Programming Interfaces (REST API) and Static Entry Pusher within the floodlight controller to construct an exceptionally efficient structure for detecting and mitigating anomalies in SDN design. We conducted experiments on a synthetic dataset containing 15 types of anomalies, such as DDoS attacks, port scans, worms, etc. We compared our model with four existing techniques: SVM, KNN, DT, and RF. Experimental results demonstrate that our model outperforms the existing techniques in terms of enhancing Accuracy (AC) and Detection Rate (DR) while simultaneously reducing Classification Error (CE) and False Alarm Rate (FAR) to 98.80 %, 97.44 %, 1.2 %, and 0.38 %, respectively.

This Is a Local Domain: On Amassing Country-Code Top-Level Domains from Public Data

Domain lists are a key ingredient for representative censuses of the Web. Unfortunately, such censuses typically lack a view on domains under country-code top-level domains (ccTLDs). This introduces unwanted bias: many countries have a rich local Web that remains hidden if their ccTLDs are not considered. The reason ccTLDs are rarely considered is that gaining access - if possible at all - is often laborious. To tackle this, we ask: what can we learn about ccTLDs from public sources? We extract domain names under ccTLDs from 6 years of public data from Certificate Transparency logs and Common Crawl. We compare this against ground truth for 19 ccTLDs for which we have the full DNS zone. We find that public data covers 43%-80% of these ccTLDs, and that coverage grows over time. By also comparing port scan data we then show that these public sources reveal a significant part of the Web presence under a ccTLD. We conclude that in the absence of full access to ccTLDs, domain names learned from public sources can be a good proxy when performing Web censuses.

BindHost: Comprehensive Vulnerability Scanner Tool

The increasing dependence on web applications amplifies the importance of protecting them against cyber threats. Vulnerability scanners are of utmost importance in this process, as they periodically detect vulnerabilities within network infras- tructures. This tool automates vulnerability detection, eliminating the need for manual intervention. This paper introduces a vulnerability scanner tool that determines probable threats to a web application by utilizing technologies such as header analysis, port scanning, and comparison against a database of known vulnerabilities(CVEs),thereby providing a robust solution Index Terms—Vulnerability Scanning, Header Analysis, Port Scanning, CVEs, Web Crawling,Socket Programming, Automation

IPREDS: Efficient Prediction System for Internet-wide Port and Service Scanning

Internet-wide port and service scanning, a vital tool for network research, is unaffordable in time and network bandwidth consumption. However, scanning only a portion of ports and services may lead to erroneous research conclusions. Previous work has shortened scanning time by predicting potentially active ports and eliminating many invalid scan targets. Still, they suffer from inherent design flaws that compromise their performance in terms of prediction accuracy and efficiency. The vast, unevenly distributed, and noisy nature of active ports presents significant challenges for prediction systems. Meanwhile, service prediction work is still in a shortage state. In this work, we introduce IPREDS, the first efficient prediction system for Internet-wide port and service scanning. IPREDS uses its carefully designed decision model to utilize all input features and predict the scanning reward of each target in parallel, providing high coverage prediction results in minimal time. Our experiment results show that IPREDS can discover 87% of active ports across the entire IPv4 network within two hours, saving at least 87.26% of the total time and 59% of the packets sent compared to existing work. For service scanning, IPREDS finds 91% of all active services using only four handshakes on each active port and saves 85.9% time to find 69% of each active service compared to exhaustive service scanning.

Analysis of a new firewall constructed on Pfsense with Snort to defend against common internet intrusions

This paper aims to design a new firewall based on the detection of common forms of network attacks in the current Internet environment using Snort in combination with the Pfsense network security platform. Firstly, the functions of Snort and Pfsense are introduced, and the shortcomings of traditional firewalls in the current network environment are analyzed. Then analyze the common port scanning attacks, DOS attacks and algorithm complexity attacks, and by means of reviewing the literature, demonstrate that it adopts the network proxy, CNN-BiLSTM intrusion detection model, IBM algorithm, VLDC algorithm and other means to specifically detect common network attacks, so as to achieve the function of specifically defending against network attacks, and to improve the operation efficiency and detection accuracy of the firewall. accuracy of the firewall, etc.

Oversampling and undersampling for intrusion detection system in the supervisory control and data acquisition IEC 60870‐5‐104

AbstractSupervisory control and data acquisition systems are critical in Industry 4.0 for controlling and monitoring industrial processes. However, these systems are vulnerable to various attacks, and therefore, intelligent and robust intrusion detection systems as security tools are necessary for ensuring security. Machine learning‐based intrusion detection systems require datasets with balanced class distribution, but in practice, imbalanced class distribution is unavoidable. A dataset created by running a supervisory control and data acquisition IEC 60870‐5‐104 (IEC 104) protocol on a testbed network is presented. The dataset includes normal and attacks traffic data such as port scan, brute force, and Denial of service attacks. Various types of Denial of service attacks are generated to create a robust and specific dataset for training the intrusion detection system model. Three popular techniques for handling class imbalance, that is, random over‐sampling, random under‐sampling, and synthetic minority oversampling, are implemented to select the best dataset for the experiment. Gradient boosting, decision tree, and random forest algorithms are used as classifiers for the intrusion detection system models. Experimental results indicate that the intrusion detection system model using decision tree and random forest classifiers using random under‐sampling achieved the highest accuracy of 99.05%. The intrusion detection system model's performance is verified using various metrics such as recall, precision, F1‐Score, receiver operating characteristics curves, and area under the curve. Additionally, 10‐fold cross‐validation shows no indication of overfitting in the created intrusion detection system model.

Optimizing Internet-Wide Port Scanning for IoT Security and Network Resilience: A Reinforcement Learning-Based Approach in WLANs with IEEE 802.11ah

ABSTRACT The rapid proliferation of Internet of Things (IoT) devices has spurred the need for robust security mechanisms within wireless local area network (WLAN) environments. Specifically, the IEEE 802.11ah (WiFi-HaLow) technology offers low-power, long-range communication capabilities ideally suited for IoT devices, but these devices face security threats due to constrained computational resources. This research addresses the challenge of optimizing Internet-wide port scanning to enhance IoT security while minimizing disruptions to network performance. In this paper, we propose a novel reinforcement learning-based approach to achieve this optimization. Our approach harnesses the power of the Proximal Policy Optimization (PPO) algorithm to guide decision-making for IoT security and network performance enhancement. The proposed solution entails training an agent to dynamically adjust the port scanning rate, ensuring the delicate balance between security improvement and network responsiveness. We establish a comprehensive system model, encompassing WiFi-HaLow infrastructure, IPv6-enabled IoT devices, and the integration of Internet-security (IPSec) protocols. Mathematical formulations encapsulate constraints such as resource limitations and security-performance trade-offs. Our experimental setup utilizes a carefully curated dataset and a simulation environment to rigorously evaluate the proposed solution’s effectiveness. The proposed approach demonstrates remarkable security enhancement through the prevention of unauthorized access attempts, data breaches, and improved intrusion detection. Moreover, network performance is optimized, with reductions in latency, improvements in throughput, and energy-efficient operation. By presenting a plethora of comparison scenarios, we validate the superiority of our solution against various benchmarks. This research contributes a comprehensive framework that not only advances IoT security within WLAN environments but also highlights the intricate relationship between security and network performance optimization.