Welcome to the Unraveling Cyber Defense Model Secrets series, where we shine a light on Adlumin’s Data Science team, explore the team’s latest detections, and learn how to navigate the cyberattack landscape. 

Early threat detection is crucial in today’s cybersecurity world. Port scanning, a common tactic by attackers, probes network ports to uncover vulnerabilities. Adlumin Data Science developed a new Machine Learning (ML) alert to enhance early-stage detection capabilities and focus on identifying port scans by leveraging an ML ensemble model trained on aggregated firewall log messages. The model learns normal traffic patterns and isolates suspicious behavior effectively.   

The alert is designed to detect suspicious activity originating from private sources, which are frequently used by threat actors for vulnerability scanning after an internal host has been compromised. By addressing these early indicators, the new ML alert provides a significant advancement in threat detection and response. 

This blog delves into the workings of port scans, their implications, and how Adlumin’s new detection elevates your cybersecurity posture. 

The “Handshake”

Computers exchange information across networks by using IP addresses and ports to identify where the data is coming from and where it needs to go. For example, when conducting a Google search, your computer (the initiator) connects to a Google server (the responder). Before any information is exchanged, the two computers perform a handshake to establish a connection. This process involves three steps:  

1. The initiator sends a connection request to the responder. 
2. The responder replies, confirming it is ready to communicate. 
3. The initiator sends a final acknowledgment. 

Once this handshake is complete, your computer can start sending data, like your search query, to the Google server.  

Ports and Their Role in Network Communication

Every computer or device connected to the internet has 65,535 available ports associated with its IP address. Ports act like doors that allow data to enter and exit a machine. At any given time, most ports are closed, but some are open to enable specific tasks. For example, your browser knows to connect to port 443 when accessing a secure website like Google, as this port is reserved for HTTPS traffic. 

When your computer initiates a connection, it typically picks a random port from the range of available ports on your end (called ephemeral ports) to communicate with the destination. However, an attacker trying to infiltrate a system wouldn’t know which ports are open on the destination machine. 

To narrow their efforts, attackers often focus on well-known ports—a standardized range of ports numbered 0 to 1023 that are commonly used for essential services (e.g., port 80 for HTTP, port 25 for email). The remaining ports (1024 to 65,535) are more random and harder to predict, which makes them less attractive for attackers to target. 

What Is a Port Scan? 

A port scan is a technique attackers use to find open and available ports on a target machine. The initiator (in this case, the attacker) systematically sends connection requests to multiple ports on the destination, one after the other, to identify which ports respond as open. Once an open port is found, attackers can exploit it to gain further access to the machine or move deeper into the network. 

Port scans become particularly suspicious when they occur between two devices on the same network. Normally, devices within the same network already know which ports to use for communication, so scanning multiple ports suggests that someone is probing for vulnerabilities. If successful, the attacker could use the open port as an entry point to compromise the machine or spread their attack to other devices on the network. 

Adlumin ingests and processes firewall log messages to extract key relevant information. When looking at firewall log messages, the actions taken by the firewall or the type of traffic over connections can be indicative of a port scan. The Port Scan ML model aggregates certain information from firewall logs, not limited to but including: the IP addresses, port numbers, and number of bytes transmitted over the connection. Then it generates features from this dataset such as the entropy of the number of bytes, how many destination ports were involved etc. 

The model raises alerts when it finds enough log messages between two internal IP addresses that meet the characteristics of port scan activity when analyzed in the aggregate. To make this determination, it uses a machine learning classifier that was trained on datasets containing examples of port scans. 

In addition to the ML classifier described above, the model ensemble includes domain-knowledge rules based on filtering the aggregated dataset for specific values for certain features, and this logic can also raise alerts. The values and features that are filtered on meet the expectations of port scan traffic and were developed by Adlumin Data Science in consultation with Adlumin Engineering, Threat Research, and MDR Teams. 

Strengthening Your Defense Against Port Scans 

Port scans are a critical component of an attacker’s toolkit, providing insights into network vulnerabilities that can be exploited for further malicious activity. Adlumin’s new alert brings a sophisticated, proactive solution to this challenge by detecting and flagging port scan behaviors within aggregated firewall logs. This enhancement not only strengthens your defense against network reconnaissance but also integrates seamlessly with Adlumin’s Threat Intelligence capability for comprehensive investigation analysis. By combining cutting-edge machine learning with domain expertise, Adlumin empowers security teams to act swiftly and decisively, ensuring networks remain secure against evolving threats.

See how our platform helps your team find and address threats by arranging a demo or trying out our platform for free.