<italic>PMap</italic>: Reinforcement Learning-Based Internet-Wide Port Scanning
Authors: 
Guanglei Song, Lin He, Tao Chen, Jinlei Lin, Linna Fan, Kun Wen, Zhiliang Wang, Jiahai YangAuthors Info & Claims
Guanglei Song, Lin He, Tao Chen, Jinlei Lin, Linna Fan, Kun Wen, Zhiliang Wang, Jiahai YangAuthors Info & ClaimsPages 5524 - 5538
Abstract
Internet-wide scanning is a commonly used research technique in various network surveys, such as measuring service deployment and security vulnerabilities. However, these network surveys are limited to the given port set, not comprehensively obtaining the real network landscape, and even misleading survey conclusions. In this work, we introduce PMap, a port scanning tool that efficiently discovers the most open ports from all 65K ports in the whole network. PMap uses the correlation of ports to build an open port correlation graph of each network, using a reinforcement learning framework to update the correlation graph based on feedback results and dynamically adjust the order of port scanning. Compared to current port scanning methods, PMap performs better on hit rate, coverage, and intrusiveness. Our experiments over real networks show that PMap can find 90% open ports by only scanning 125 ports (90%@125) to each address, which is 99.3% less than the state-of-the-art port scanning methods. It reduces the number of scanned ports to decrease the intrusive nature of port scanning. In addition, PMap is highly parallel and lightweight. It scans 500 networks in parallel, achieving a port recommendation rate of up to 18 million per second, consuming only 7GB of memory. PMap is the first effective practice for scanning open ports using reinforcement learning. It bridges the gap of existing scanning tools and effectively supports subsequent service discovery and security research.
References
[1]
L. Izhikevich, R. Teixeira, and Z. Durumeric, “LZR: Identifying unexpected internet services,” in Proc. 30th USENIX Secur. Symp., 2021, pp. 3111–3128.
[2]
Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman, “A search engine backed by internet-wide scanning,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., Oct. 2015, pp. 542–553.
[3]
P. Foremski, D. Plonka, and A. Berger, “Entropy/IP: Uncovering structure in IPv6 addresses,” in Proc. Internet Meas. Conf., Nov. 2016, pp. 167–181.
[4]
A. Murdock, F. Li, P. Bramsen, Z. Durumeric, and V. Paxson, “Target generation for internet-wide IPv6 scanning,” in Proc. Internet Meas. Conf., Nov. 2017, pp. 242–253.
[5]
O. Gasser et al., “Clusters in the expanse: Understanding and unbiasing IPv6 hitlists,” in Proc. Internet Meas. Conf., Oct. 2018, pp. 364–378.
[6]
G. Song et al., “DET: Enabling efficient probing of IPv6 active addresses,” IEEE/ACM Trans. Netw., vol. 30, no. 4, pp. 1629–1643, Aug. 2022.
[7]
G. Song et al., “AddrMiner: A comprehensive global active IPv6 address discovery system,” in Proc. USENIX Annu. Tech. Conf. (USENIX ATC), 2022, pp. 309–326.
[8]
Z. Liu, Y. Xiong, X. Liu, W. Xie, and P. Zhu, “6Tree: Efficient dynamic discovery of active addresses in the IPv6 address space,” Comput. Netw., vol. 155, pp. 31–46, May 2019.
[9]
B. Hou, Z. Cai, K. Wu, J. Su, and Y. Xiong, “6Hit: A reinforcement learning-based approach to target generation for Internet-wide IPv6 scanning,” in Proc. IEEE Conf. Comput. Commun. (INFOCOM), May 2021, pp. 1–10.
[10]
T. Cui, G. Gou, G. Xiong, C. Liu, P. Fu, and Z. Li, “6GAN: IPv6 multi-pattern target generation via generative adversarial nets with reinforcement learning,” in Proc. IEEE INFOCOM Conf. Comput. Commun., May 2021, pp. 1–10.
[11]
B. Hou, Z. Cai, K. Wu, T. Yang, and T. Zhou, “6Scan: A high-efficiency dynamic Internet-wide IPv6 scanner with regional encoding,” IEEE/ACM Trans. Netw., vol. 31, no. 4, pp. 1870–1885, 2023. 10.1109/TNET.2023.3233953.
[12]
H. B. Tanveer, R. Singh, P. Pearce, and R. Nithyanand, “Glowing in the dark: Uncovering IPv6 address discovery and scanning strategies in the wild,” in Proc. 32nd USENIX Secur. Symp. (USENIX Secur.), 2023, pp. 6221–6237.
[13]
B. Hou, Z. Cai, K. Wu, T. Yang, and T. Zhou, “Search in the expanse: Towards active and global IPv6 hitlists,” in Proc. IEEE INFOCOM Conf. Comput. Commun., May 2023, pp. 1–10.
[14]
Z. Durumeric, E. Wustrow, and J. A. Halderman, “ZMap: Fast internet-wide scanning and its security applications,” in Proc. 22nd USENIX Secur. Symp., 2013, pp. 605–620.
[15]
R. D. Graham. (2014). Masscan: Mass IP Port Scanner. [Online]. Available: https://github.com/robertdavidgraham/masscan
[16]
D. Kumar et al., “Tracking certificate misissuance in the wild,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2018, pp. 785–798.
[17]
L. Pan et al., “Your router is my prober: Measuring IPv6 networks via ICMP rate limiting side channels,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2023.
[18]
D. Adrian et al., “Imperfect forward secrecy: How Diffie–Hellman fails in practice,” in Proc. 22nd ACM SIGSAC Conf. Comput. Commun. Secur., 2015, pp. 5–17.
[19]
N. Aviram et al., “DROWN: Breaking TLS using SSLv2,” in Proc. 25th USENIX Security Symp., 2016, pp. 689–706.
[20]
B. Beurdouche et al., “A messy state of the union: Taming the composite state machines of TLS,” in Proc. IEEE Symp. Security Privacy, Jan. 2015, pp. 535–552.
[21]
S. Khattak et al., “Do you see what I see? Differential treatment of anonymous users,” in Proc. Netw. Distrib. Syst. Secur. Symp., 2016.
[22]
P. Pearce, R. Ensafi, F. Li, N. Feamster, and V. Paxson, “Augur: Internet-wide detection of connectivity disruptions,” in Proc. IEEE Symp. Secur. Privacy (SP), May 2017, pp. 427–443.
[23]
P. Pearce et al., “Global measurement of DNS manipulation,” in Proc. 26th USENIX Security Symp., Vancouver, BC, Canada, Aug. 2017, pp. 307–323.
[24]
Z. Durumeric et al., “The matter of heartbleed,” in Proc. Conf. Internet Meas. Conf., New York, NY, USA, 2014, pp. 475–488.
[25]
F. Li et al., “You’ve got vulnerability: Exploring effective vulnerability notifications,” in Proc. 25th USENIX Secur. Symp., 2016, pp. 1033–1050.
[26]
L. Fan et al., “AutoIoT: Automatically updated IoT device identification with semi-supervised learning,” IEEE Trans. Mobile Comput., vol. 22, no. 10, pp. 5769–5786, Oct. 2023.
[27]
G. F. Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. Seattle, WA, USA: Insecure.com LLC, 2008.
[28]
Z. Durumeric, E. Wustrow, and J. A. Halderman. (2020). The Zmap Project. [Online]. Available: https://github.com/zmap/zgrab2
[29]
L. Izhikevich, R. Teixeira, and Z. Durumeric, “Predicting IPv4 services across all ports,” in Proc. ACM SIGCOMM Conf. New York, NY, USA: Association for Computing Machinery, Aug. 2022, pp. 503–515. 10.1145/3544216.3544249.
[30]
A. Sarabi, K. Jin, and M. Liu, “Smart internet probing: Scanning using adaptive machine learning,” in Game Theory and Machine Learning for Cyber Security. Hoboken, NJ, USA: Wiley, 2021, pp. 411–437.
[31]
Censys. (2022). Censys Search. [Online]. Available: https://search.censys.io/
[32]
G. Song et al., “Which doors are open: Reinforcement learning-based internet-wide port scanning,” in Proc. IEEE/ACM 31st Int. Symp. Quality Service (IWQoS), Jun. 2023, pp. 1–10.
[33]
Cybersecurity. (2019). Understanding Denial-of-Service Attacks. [Online]. Available: https://www.cisa.gov/uscert/ncas/tips/ST04-015/
[34]
Cybersecurity. (2022). What is a DDoS Attack and How Does It Work. [Online]. Available: https://www.comptia.org/content/guides/what-is-a-ddos-attack-how-it-works
[35]
J. B. P. Eckersley. (2010). An Observatory for the Ssliverse. Talk At Defcon 18. [Online]. Available: https://www.eff.org/filesDefconSSLiverse.pdf
[36]
L. Deri et al., “Improving passive packet capture: Beyond device polling,” in Proc. SANE, Amsterdam, The, Netherlands, 2004, pp. 85–93.
[37]
S. Han, K. Jang, K. Park, and S. Moon, “PacketShader: A GPU-accelerated software router,” ACM SIGCOMM Comput. Commun. Rev., vol. 40, no. 4, pp. 195–206, 2010.
[38]
L. Rizzo, “Netmap: A novel framework for fast packet I/O,” in Proc. 21st USENIX Secur. Symp., 2012, pp. 101–112.
[39]
D. Leonard and D. Loguinov, “Demystifying service discovery: Implementing an Internet-wide scanner,” in Proc. 10th ACM SIGCOMM Conf. Internet Meas., Nov. 2010, pp. 109–122.
[40]
S. Bano et al., “Scanning the internet for liveness,” ACM SIGCOMM Comput. Commun. Rev., vol. 48, no. 2, pp. 2–9, May 2018.
[41]
N. Rodday et al., “On the deployment of default routes in inter-domain routing,” in Proc. ACM SIGCOMM Workshop Technol., Appl., Uses a Responsible Internet, Aug. 2021, pp. 14–20.
[42]
G. Song et al., “Towards the construction of global IPv6 hitlist and efficient probing of IPv6 address space,” in Proc. IEEE/ACM 28th Int. Symp. Quality Service (IWQoS), Jun. 2020, pp. 1–10.
[43]
J. Matherly. Shodan FAQ Search Engine for the Internet of Everything. Accessed: 2021. [Online]. Available: http://www.shodanhq.com/help/faq
[44]
F. Gont. (2021). Ipv6 Toolkit. [Online]. Available: https://www.si6networks.com/research/tools/ipv6toolkit
[45]
C. Partridge and M. Allman, “Ethical considerations in network measurement papers,” Commun. ACM, vol. 59, no. 10, pp. 58–64, Sep. 2016.
[46]
M. D. Bailey, D. Dittrich, E. Kenneally, and D. Maughan, “The menlo report,” IEEE Secur. Priv., vol. 10, no. 2, pp. 71–75, 2012. 10.1109/MSP.2012.52.
Index Terms
PMap : Reinforcement Learning-Based Internet-Wide Port Scanning
Index terms have been assigned to the content through auto-classification.
Recommendations
IPREDS: Efficient Prediction System for Internet-wide Port and Service Scanning
PACMNETInternet-wide port and service scanning, a vital tool for network research, is unaffordable in time and network bandwidth consumption. However, scanning only a portion of ports and services may lead to erroneous research conclusions. Previous work has ...
An internet-wide view of internet-wide scanning
SEC'14: Proceedings of the 23rd USENIX conference on Security SymposiumWhile it is widely known that port scanning is widespread, neither the scanning landscape nor the defensive reactions of network operators have been measured at Internet scale. In this work, we analyze data from a large network telescope to study ...
Sliding Probe Methods for
In Situ Nanorobotic Characterization of Individual NanostructuresSliding probe methods are designed for the in situ characterization of electrical properties of individual 1-D nanostructures. The key to achieving a high resolution is to keep the contact resistance constant by controlling the contact force and area ...
Comments
Information & Contributors
Information
Published In
1063-6692 © 2024 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See https://www.ieee.org/publications/rights/index.html for more information.
Publisher
IEEE Press
Publication History
Published: 20 November 2024
Published in TON Volume 32, Issue 6
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 6Total Downloads
- Downloads (Last 12 months)6
- Downloads (Last 6 weeks)6
Reflects downloads up to 08 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in