This paper presents an approach leveraging machine learning techniques to monitor network traffic in search of vulnerability scanning activities. Indeed, attackers typically perform an initial reconnaissance phase to identify the vulnerabilities their target platforms expose, which they can abuse to perform cyberattacks. Classical network monitoring approaches have multiple limitations. Indeed, they are typically hindered by the presence of encrypted traffic, hamper user privacy resorting to Deep Packet Inspection (DPI), and cannot identify advanced scanning techniques such as slow scans. The research presented in this paper overcomes such limitations through machine learning classifiers that can detect vulnerability scans with flow-level granularity, employing statistical features evaluated on Layer 3 and 4 network packet headers. We demonstrate the feasibility of our approach training classifiers able to detect traffic originated by three well-known vulnerability scanning tools: OpenVAS, sqlmap, and Wapiti. The presented Proof-of-Concept classifiers are characterized by a high classification accuracy, with the best classifier reaching a balanced accuracy of 98%.

A Privacy-Preserving Approach for Vulnerability Scanning Detection

Regano L.
Co-primo
;
2024-01-01

Abstract

This paper presents an approach leveraging machine learning techniques to monitor network traffic in search of vulnerability scanning activities. Indeed, attackers typically perform an initial reconnaissance phase to identify the vulnerabilities their target platforms expose, which they can abuse to perform cyberattacks. Classical network monitoring approaches have multiple limitations. Indeed, they are typically hindered by the presence of encrypted traffic, hamper user privacy resorting to Deep Packet Inspection (DPI), and cannot identify advanced scanning techniques such as slow scans. The research presented in this paper overcomes such limitations through machine learning classifiers that can detect vulnerability scans with flow-level granularity, employing statistical features evaluated on Layer 3 and 4 network packet headers. We demonstrate the feasibility of our approach training classifiers able to detect traffic originated by three well-known vulnerability scanning tools: OpenVAS, sqlmap, and Wapiti. The presented Proof-of-Concept classifiers are characterized by a high classification accuracy, with the best classifier reaching a balanced accuracy of 98%.
2024
Intrusion Detection Systems (IDS); Intrusion Prevention Systems (IPS); Machine Learning (ML); Network Security; User Privacy; Vulnerability Scanning
File in questo prodotto:
File Dimensione Formato  
paper44.pdf

accesso aperto

Tipologia: versione editoriale (VoR)
Dimensione 269.96 kB
Formato Adobe PDF
269.96 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11584/409424
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 1
  • ???jsp.display-item.citation.isi??? ND
social impact