Network scanning is a prevalent threat in the Internet. It can discover active hosts or services in cyberspace, thus often be used by attackers to locate potential victims. Scanning activities usually appear at the initial stage of malicious attacks, so it would be helpful to fight against those attacks if we can detect scanning behaviors earlier.
Qihoo 360 Network ScanMon system is a platform that provides both realtime and historical overviews of network scanning activities all over the world. ScanMon detects scanning behaviors effectively and accurately by analyzing large amounts of various network data, including but not limited to Netflow, Honeypot, etc. For those detected scanning events, ScanMon will intuitively show their key information and as well as useful statistics, such as scanner SrcIP, victim DstPort, scanning volume, distribution and correlation of scanners, etc. With these information, users are able to perceive network scannings in the first time and identify the corresponding attackers quickly and conveniently. As an example, 360 Netlab recently used ScanMon to help to monitor the emergence of Mirai Botnet and investigate the evolution of its scanning behavior. You can watch the
online video (remember to choose HD 1080p), or check out the
The system is free and open to security community. We hope it will help and also we will appreciate anyone giving useful feedbacks or willing to contribute more network data to improve the system.