This paper presents an approach leveraging machine learning techniques to monitor network traffic in search of vulnerability scanning activities. Indeed, attackers typically perform an initial reconnaissance phase to identify the vulnerabilities their target platforms expose, which they can abuse to perform cyberattacks. Classical network monitoring approaches have multiple limitations. Indeed, they are typically hindered by the presence of encrypted traffic, hamper user privacy resorting to Deep Packet Inspection (DPI), and cannot identify advanced scanning techniques such as slow scans. The research presented in this paper overcomes such limitations through machine learning classifiers that can detect vulnerability scans with flow-level granularity, employing statistical features evaluated on Layer 3 and 4 network packet headers. We demonstrate the feasibility of our approach training classifiers able to detect traffic originated by three well-known vulnerability scanning tools: OpenVAS, sqlmap, and Wapiti. The presented Proof-of-Concept classifiers are characterized by a high classification accuracy, with the best classifier reaching a balanced accuracy of 98%.

A Privacy-Preserving Approach for Vulnerability Scanning Detection / Regano, Leonardo; Canavese, Daniele; Mannella, Luca. - ELETTRONICO. - 3731:(2024), pp. 1-13. (Intervento presentato al convegno ITASEC 2024: The Italian Conference on CyberSecurity tenutosi a Salerno (IT) nel April 08–12, 2024).

A Privacy-Preserving Approach for Vulnerability Scanning Detection

Leonardo Regano;Daniele Canavese;Luca Mannella
2024

Abstract

This paper presents an approach leveraging machine learning techniques to monitor network traffic in search of vulnerability scanning activities. Indeed, attackers typically perform an initial reconnaissance phase to identify the vulnerabilities their target platforms expose, which they can abuse to perform cyberattacks. Classical network monitoring approaches have multiple limitations. Indeed, they are typically hindered by the presence of encrypted traffic, hamper user privacy resorting to Deep Packet Inspection (DPI), and cannot identify advanced scanning techniques such as slow scans. The research presented in this paper overcomes such limitations through machine learning classifiers that can detect vulnerability scans with flow-level granularity, employing statistical features evaluated on Layer 3 and 4 network packet headers. We demonstrate the feasibility of our approach training classifiers able to detect traffic originated by three well-known vulnerability scanning tools: OpenVAS, sqlmap, and Wapiti. The presented Proof-of-Concept classifiers are characterized by a high classification accuracy, with the best classifier reaching a balanced accuracy of 98%.
2024
File in questo prodotto:
File Dimensione Formato  
2024_ITASEC_VulnerabilityScanning.pdf

accesso aperto

Descrizione: Camera-ready Version
Tipologia: 2. Post-print / Author's Accepted Manuscript
Licenza: Creative commons
Dimensione 191.5 kB
Formato Adobe PDF
191.5 kB Adobe PDF Visualizza/Apri
2024-07_A_Privacy_Preserving_Approach_for_Vulnerability_Scanning_Detection_paper44.pdf

accesso aperto

Tipologia: 2a Post-print versione editoriale / Version of Record
Licenza: Creative commons
Dimensione 266.97 kB
Formato Adobe PDF
266.97 kB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11583/2988122