Reproducing Random Forest Efficacy in Detecting Port Scanning

TL;DR

This paper reproduces six recent studies on using random forest algorithms for port scan detection, addressing inconsistencies and lack of source code to improve reliability and reproducibility in cybersecurity research.

Contribution

It systematically reproduces and evaluates six recent random forest port scan detection studies, standardizing datasets and providing source code to enhance reproducibility.

Findings

Reproduced results consistent with original studies

Identified variability in study outcomes and datasets

Provided open-source implementation for future research

Abstract

Port scanning is the process of attempting to connect to various network ports on a computing endpoint to determine which ports are open and which services are running on them. It is a common method used by hackers to identify vulnerabilities in a network or system. By determining which ports are open, an attacker can identify which services and applications are running on a device and potentially exploit any known vulnerabilities in those services. Consequently, it is important to detect port scanning because it is often the first step in a cyber attack. By identifying port scanning attempts, cybersecurity professionals can take proactive measures to protect the systems and networks before an attacker has a chance to exploit any vulnerabilities. Against this background, researchers have worked for over a decade to develop robust methods to detect port scanning. One such method revealed by a recent systematic review is the random forest supervised machine learning algorithm. The review revealed six existing studies using random forest since 2021. Unfortunately, those studies each exhibit different results, do not all use the same training and testing dataset, and only two include source code. Accordingly, the goal of this work was to reproduce the six random forest studies while addressing the apparent shortcomings. The outcomes are significant for researchers looking to explore random forest to detect port scanning and for practitioners interested in reliable technology to detect the early stages of cyber attack.