@article{oai:repository.nii.ac.jp:02000353,
 author = {Mazel, Johan and Fontugne, Romain and 福田, 健介 and Fukuda, Kensuke},
 journal = {NIIテクニカル・レポート, NII Technical Report},
 month = {Dec},
 note = {A great deal of effort has been dedicated to the study of network scanning. Nonetheless, previous studies focused on simple char- acteristics such as the number of scanning IPs (also called scanners) or targets, but usually neglected scanner behavior. We analyze 15 years of backbone traffic and propose a method for profiling scanning IPs. Our analysis first details evolution of targeted services, mass-scanning tool usage and scanning pattern. Then, we propose a new method to classify scanning IPs’ spatial and temporal structure into three profiles that re- veal vastly different intent. In particular, we find that 33% of scanners repeatedly target the same set of hosts. If unsolicited, this behavior pro- vides an early warning to administrators regarding the malicious intent of scanners. Finally, we study publicly documented scanners’ activities and show that security research-related scanning IPs behave differently than non-documented scanners. We also show that only 39% of scanning entities follow online documentation best practices.},
 title = {NII Technical Report (NII-2016-008E)：Profiling Internet Scanners: Spatial and Temporal Structures},
 year = {2016}
}