Extracting Cyber Threat Intelligence from Port Scans: A Taxonomy- Based Approach
Guardado en:
| 發表在: | International Conference on Cyber Warfare and Security (Mar 2025), p. 114 |
|---|---|
| 主要作者: | |
| 其他作者: | , , |
| 出版: |
Academic Conferences International Limited
|
| 主題: | |
| 在線閱讀: | Citation/Abstract Full Text Full Text - PDF |
| 標簽: |
沒有標簽, 成為第一個標記此記錄!
|
MARC
| LEADER | 00000nab a2200000uu 4500 | ||
|---|---|---|---|
| 001 | 3202191349 | ||
| 003 | UK-CbPIL | ||
| 035 | |a 3202191349 | ||
| 045 | 2 | |b d20250301 |b d20250331 | |
| 084 | |a 142229 |2 nlm | ||
| 100 | 1 | |a Geisler, Jan | |
| 245 | 1 | |a Extracting Cyber Threat Intelligence from Port Scans: A Taxonomy- Based Approach | |
| 260 | |b Academic Conferences International Limited |c Mar 2025 | ||
| 513 | |a Conference Proceedings | ||
| 520 | 3 | |a Port scans are a common preliminary step for a variety of cyberattacks, from simple hackers, attempted automated exploitation, to professional groups and state actors. They serve as a reconnaissance technique that facilitates the planning and execution of future attacks and are often conducted stealthily over extended periods to evade monitoring systems, making them challenging to identify and analyse. Despite this, effective detection and analysis of port scans can yield valuable cyber threat intelligence (CTI), enabling defenders to prioritize defensive measures, deploy and optimize protective infrastructure such as Intrusion Detection and Prevention Systems (IDS/IPS), and anticipate potential attacks by analysing the characteristics and frequency of scans. However, the huge amount of data generated by port scans and other network events hides the significant operations and complicates the extraction of actionable intelligence. We present a comprehensive taxonomy designed to classify and analyse port scans systematically. We focus on interpreting detected port scans rather than their detection, leveraging the wide availability of detection tools. Our taxonomy assesses key attributes of port scans, including the intent, origin, potential hostile gain, damage potential, available intelligence, and the necessity for responsive actions. We then propose an 8-step classification process to guide this analysis. It begins with a thorough technical analysis of the scan which can be provided by various detection frameworks. Based on that, the legitimacy of a detected scan is determined, distinguishing between malicious intent and benign activities like friendly analysis, general research, or internet background noise. Next, we generate a "fingerprint" of the scan and cross-reference it against a database of known scans, compiled from historical data, CTI repositories, and incident reports. The analysis further evaluates the scans target, the information it may have revealed, and its success level. We also explore the broader intelligence that can be gleaned from the scan, enhancing situational awareness of our systems. Finally, we assess the technical response options, considering their feasibility and cost-effectiveness, and determine whether proactive measures are warranted. We show that our structured approach to port scan analysis improves the generation of actionable intelligence and supports informed decision-making for defensive strategies. | |
| 653 | |a Situational awareness | ||
| 653 | |a Background noise | ||
| 653 | |a Taxonomy | ||
| 653 | |a Threat evaluation | ||
| 653 | |a Availability | ||
| 653 | |a Internet | ||
| 653 | |a Methods | ||
| 653 | |a Network security | ||
| 653 | |a Firewalls | ||
| 653 | |a Intelligence gathering | ||
| 653 | |a Cost effectiveness | ||
| 653 | |a Analysis | ||
| 653 | |a Databases | ||
| 653 | |a Exploitation | ||
| 653 | |a Extraction | ||
| 653 | |a Threats | ||
| 653 | |a Classification | ||
| 653 | |a Legitimacy | ||
| 653 | |a Decision making | ||
| 653 | |a Data | ||
| 653 | |a Intelligence | ||
| 653 | |a Infrastructure | ||
| 653 | |a Cost analysis | ||
| 653 | |a Feasibility | ||
| 653 | |a Intrusion | ||
| 653 | |a Hacking | ||
| 700 | 1 | |a Koch, Robert | |
| 700 | 1 | |a Nußbaum, Alexander | |
| 700 | 1 | |a Rodosek, Gabi Dreo | |
| 773 | 0 | |t International Conference on Cyber Warfare and Security |g (Mar 2025), p. 114 | |
| 786 | 0 | |d ProQuest |t Political Science Database | |
| 856 | 4 | 1 | |3 Citation/Abstract |u https://www.proquest.com/docview/3202191349/abstract/embedded/H09TXR3UUZB2ISDL?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text |u https://www.proquest.com/docview/3202191349/fulltext/embedded/H09TXR3UUZB2ISDL?source=fedsrch |
| 856 | 4 | 0 | |3 Full Text - PDF |u https://www.proquest.com/docview/3202191349/fulltextPDF/embedded/H09TXR3UUZB2ISDL?source=fedsrch |