{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,25]],"date-time":"2026-04-25T15:21:38Z","timestamp":1777130498871,"version":"3.51.4"},"publisher-location":"New York, NY, USA","reference-count":75,"publisher":"ACM","license":[{"start":{"date-parts":[[2023,10,24]],"date-time":"2023-10-24T00:00:00Z","timestamp":1698105600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"NSF","award":["CNS-2120400,CNS-1823192,CNS-1823192,DGE-1656518"],"award-info":[{"award-number":["CNS-2120400,CNS-1823192,CNS-1823192,DGE-1656518"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2023,10,24]]},"DOI":"10.1145\/3618257.3624818","type":"proceedings-article","created":{"date-parts":[[2023,10,23]],"date-time":"2023-10-23T00:19:52Z","timestamp":1698020392000},"page":"313-327","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":18,"title":["Cloud Watching: Understanding Attacks Against Cloud-Hosted Services"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0004-3336-0958","authenticated-orcid":false,"given":"Liz","family":"Izhikevich","sequence":"first","affiliation":[{"name":"Stanford University, Stanford, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-5226-1856","authenticated-orcid":false,"given":"Manda","family":"Tran","sequence":"additional","affiliation":[{"name":"Stanford University, Stanford, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8086-499X","authenticated-orcid":false,"given":"Michalis","family":"Kallitsis","sequence":"additional","affiliation":[{"name":"Merit Network, Inc., Ann Arbor, MI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6611-4447","authenticated-orcid":false,"given":"Aurore","family":"Fass","sequence":"additional","affiliation":[{"name":"Stanford University, CISPA Helmholtz Center for Information Security, Stanford, CA, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9647-4192","authenticated-orcid":false,"given":"Zakir","family":"Durumeric","sequence":"additional","affiliation":[{"name":"Stanford University, Stanford, CA, USA"}]}],"member":"320","published-online":{"date-parts":[[2023,10,24]]},"reference":[{"key":"e_1_3_2_1_1_1","unstructured":"Advanced honeypot framework. https:\/\/github.com\/honeytrap\/honeytrap. Accessed on 2022-04-29."},{"key":"e_1_3_2_1_2_1","unstructured":"Alibaba cloud. https:\/\/us.alibabacloud.com. Accessed on 2022-12-01."},{"key":"e_1_3_2_1_3_1","unstructured":"Aws EC2. https:\/\/aws.amazon.com\/ec2\/. Accessed on 2022-12-01."},{"key":"e_1_3_2_1_4_1","unstructured":"Cowrie. https:\/\/github.com\/GreyNoise-Intelligence\/cowrie. Accessed on 2021- 12--28."},{"key":"e_1_3_2_1_5_1","unstructured":"Cowrie issue 1102. https:\/\/github.com\/cowrie\/cowrie\/issues\/1102. Accessed on 2021-12-28."},{"key":"e_1_3_2_1_6_1","unstructured":"Google compute engine. https:\/\/cloud.google.com\/compute. Accessed on 2022-12-01."},{"key":"e_1_3_2_1_7_1","unstructured":"Greynoise visualizer. https:\/\/viz.greynoise.io. Accessed on 2022-05-06."},{"key":"e_1_3_2_1_8_1","unstructured":"Kippo. https:\/\/github.com\/desaster\/kippo. Accessed on 2022-05-22."},{"key":"e_1_3_2_1_9_1","unstructured":"Nmap. https:\/\/nmap.org\/docs.html. Accessed on 2022-05-04."},{"key":"e_1_3_2_1_10_1","unstructured":"Suricata rules. https:\/\/pastebin.com\/eqGtVvdX."},{"key":"e_1_3_2_1_11_1","unstructured":"Suricata rules readme. https:\/\/pastebin.com\/EWSQQkBf."},{"key":"e_1_3_2_1_12_1","unstructured":"Suricata user guide. https:\/\/suricata.readthedocs.io\/en\/suricata-6.0.5\/. Accessed on 2022-05-06."},{"key":"e_1_3_2_1_13_1","unstructured":"T-pot - the all in one multi honeypot platform. https:\/\/github.com\/telekom-security\/tpotce. Accessed on 2021-12-01."},{"key":"e_1_3_2_1_14_1","unstructured":"Trendmicro: Mirai-like scanning from China targets Brazil. https:\/\/securityonline. info\/trendmicro-mirai-like-scanning-from-china-targets-brazil\/. Accessed on 2022-05-05."},{"key":"e_1_3_2_1_15_1","volume-title":"https:\/\/www.forum-expat-management.com\/posts\/11371-what-s-in-a-name-exploring-the-term-apac","author":"What's","year":"2016","unstructured":"What's in a name - exploring the term APAC. https:\/\/www.forum-expat-management.com\/posts\/11371-what-s-in-a-name-exploring-the-term-apac, 2016. Accessed on 2022-05-20."},{"key":"e_1_3_2_1_16_1","volume-title":"https:\/\/securitytrails. com\/blog\/hacker-search-engines","author":"Top","year":"2022","unstructured":"Top 9 Internet search engines used by security researchers. https:\/\/securitytrails. com\/blog\/hacker-search-engines, 2022. Accessed on 2022-11-07."},{"key":"e_1_3_2_1_17_1","volume-title":"https:\/\/docs.greynoise.io\/docs\/ understanding-greynoise-classifications","author":"Understanding","year":"2022","unstructured":"Understanding GreyNoise classifications. https:\/\/docs.greynoise.io\/docs\/ understanding-greynoise-classifications, 2022. Accessed on 2022-05-10."},{"key":"e_1_3_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC.2018.10314"},{"key":"e_1_3_2_1_19_1","volume-title":"Aggressive internet-wide scanners: Network impact and longitudinal characterization. arXiv preprint arXiv:2305.07193","author":"Anand A.","year":"2023","unstructured":"A. Anand, M. Kallitsis, J. Sippe, and A. Dainotti. Aggressive internet-wide scanners: Network impact and longitudinal characterization. arXiv preprint arXiv:2305.07193, 2023."},{"key":"e_1_3_2_1_20_1","volume-title":"USENIX Security Symposium","author":"Antonakakis M.","year":"2017","unstructured":"M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Du-rumeric, et al. Understanding the Mirai botnet. In USENIX Security Symposium, 2017."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3213232.3213234"},{"key":"e_1_3_2_1_22_1","first-page":"180","article-title":"Detection of zero-day attacks: An unsupervised port-based approach","author":"Blaise A.","year":"2020","unstructured":"A. Blaise, M. Bouet, V. Conan, and S. Secci. Detection of zero-day attacks: An unsupervised port-based approach. Computer Networks, 180, 2020.","journal-title":"Computer Networks"},{"key":"e_1_3_2_1_23_1","volume-title":"Impact of the Shodan computer search engine on internet-facing industrial control system devices. Technical report","author":"Bodenheim R. C.","year":"2014","unstructured":"R. C. Bodenheim. Impact of the Shodan computer search engine on internet-facing industrial control system devices. Technical report, Air Force Institute of Technology Wright-Patterson AFB OH Graduate School of Engineering and Management, 2014."},{"key":"e_1_3_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1109\/CSCloud\/EdgeCom.2019.00-13"},{"key":"e_1_3_2_1_25_1","volume-title":"Honeypots in the cloud","author":"Brown S.","year":"2012","unstructured":"S. Brown, R. Lam, S. Prasad, S. Ramasubramanian, and J. Slauson. Honeypots in the cloud. 2012."},{"key":"e_1_3_2_1_26_1","first-page":"16","article-title":"Threat intelligence generation using network telescope data for industrial control systems","author":"Cabana O.","year":"2021","unstructured":"O. Cabana, A. M. Youssef, M. Debbabi, B. Lebel, M. Kassouf, R. Atallah, and B. L. Agba. Threat intelligence generation using network telescope data for industrial control systems. IEEE Transactions on Information Forensics and Security, 16, 2021.","journal-title":"IEEE Transactions on Information Forensics and Security"},{"key":"e_1_3_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/3471621.3473500"},{"key":"e_1_3_2_1_28_1","unstructured":"Censys. Opt out of scanning. https:\/\/support.censys.io\/hc\/en-us\/articles\/ 360043177092-Opt-Out-of-Scanning. Accessed on 2022-03-14."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-07620-1_2"},{"key":"e_1_3_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1080\/03461238.1946.10419631"},{"key":"e_1_3_2_1_31_1","unstructured":"Z.Durumeric.Censyssearch2.0officialannouncement.https:\/\/support.censys.io\/hc\/en-us\/articles\/360060941211-Censys-Search-2-0-Official-Announcement."},{"key":"e_1_3_2_1_32_1","volume-title":"CCS","author":"Durumeric Z.","year":"2015","unstructured":"Z. Durumeric, D. Adrian, A. Mirian, M. Bailey, and J. A. Halderman. A search engine backed by Internet-wide scanning. In CCS, 2015."},{"key":"e_1_3_2_1_33_1","volume-title":"USENIX Security Symposium","author":"Durumeric Z.","year":"2014","unstructured":"Z.Durumeric,M.Bailey,andJ.A.Halderman.AnInternet-wideviewofInternet-wide scanning. In USENIX Security Symposium, 2014."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/2663716.2663755"},{"key":"e_1_3_2_1_35_1","volume-title":"USENIX Security Symposium","author":"Durumeric Z.","year":"2013","unstructured":"Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide scanning and its security applications. In USENIX Security Symposium, 2013."},{"issue":"1","key":"e_1_3_2_1_36_1","article-title":"Activity monitoring for large honeynets and network telescopes","volume":"1","author":"Francois J.","year":"2008","unstructured":"J. Francois, O. Festor, et al. Activity monitoring for large honeynets and network telescopes. International Journal on Advances in Systems and Measurements, 1(1), 2008.","journal-title":"International Journal on Advances in Systems and Measurements"},{"key":"e_1_3_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.1109\/ICACT.2015.7224757"},{"key":"e_1_3_2_1_38_1","volume-title":"CCS","author":"Griffioen H.","year":"2021","unstructured":"H. Griffioen, K. Oosthoek, P. van der Knaap, and C. Doerr. Scan, test, execute: Adversarial tactics in amplification DDoS attacks. In CCS, 2021."},{"key":"e_1_3_2_1_39_1","volume-title":"Spoki: Unveiling a new wave of scanners through a reactive network telescope","author":"Hiesgen R.","year":"2022","unstructured":"R. Hiesgen, M. Nawrocki, A. King, A. Dainotti, T. C. Schmidt, and M. W\u00e4hlisch. Spoki: Unveiling a new wave of scanners through a reactive network telescope. 2022."},{"key":"e_1_3_2_1_40_1","unstructured":"G. Intelligence. Sample Log4Shell (CVE-2021-44228) payloads observed in the wild by GreyNoise Intelligence. https:\/\/gist.github.com\/nathanqthai\/ 197b6084a05690fdebf96ed34ae84305. Accessed on 2022-03-14."},{"key":"e_1_3_2_1_41_1","volume-title":"International Conference on Cyber Conflict (CYCON). IEEE","author":"Irwin B.","year":"2013","unstructured":"B. Irwin. A baseline study of potentially malicious activity across five network telescopes. In International Conference on Cyber Conflict (CYCON). IEEE, 2013."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.23919\/SAIEE.2013.8531865"},{"issue":"3","key":"e_1_3_2_1_43_1","first-page":"1","article-title":"Observed correlations of unsolicited ip traffic across five distinct network telescopes","volume":"14","author":"Irwin B.","year":"2015","unstructured":"B. Irwin and T. Nkhumeleni. Observed correlations of unsolicited ip traffic across five distinct network telescopes. Journal of Information Warfare, 14(3):1-14, 2015.","journal-title":"Journal of Information Warfare"},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3517745.3561434"},{"key":"e_1_3_2_1_45_1","volume-title":"USENIX Security Symposium","author":"Izhikevich L.","year":"2021","unstructured":"L. Izhikevich, R. Teixeira, and Z. Durumeric. LZR: Identifying unexpected Internet services. In USENIX Security Symposium, 2021."},{"key":"e_1_3_2_1_46_1","volume-title":"ACM SIGCOMM Conference","author":"Izhikevich L.","year":"2022","unstructured":"L. Izhikevich, R. Teixeira, and Z. Durumeric. Scalably and efficiently discovering IPv4 services across all ports. In ACM SIGCOMM Conference, 2022."},{"key":"e_1_3_2_1_47_1","unstructured":"M. Jonkman. What every IDS user should do. https:\/\/doc.emergingthreats.net\/ bin\/view\/Main\/WhatEveryIDSUserShouldDo. Accessed on 2022-05-03."},{"key":"e_1_3_2_1_48_1","volume-title":"A compar-ative analysis of honeypots on different cloud platforms. Sensors, 21(7)","author":"Kelly C.","year":"2021","unstructured":"C. Kelly, N. Pitropakis, A. Mylonas, S. McKeown, and W. J. Buchanan. A compar-ative analysis of honeypots on different cloud platforms. Sensors, 21(7), 2021."},{"key":"e_1_3_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-26362-5_28"},{"key":"e_1_3_2_1_50_1","doi-asserted-by":"publisher","DOI":"10.23919\/INM.2017.7987415"},{"key":"e_1_3_2_1_51_1","volume-title":"USENIX Workshop on Hot Topics in Security (HotSec)","author":"Mal\u00e9cot E. Le","year":"2009","unstructured":"E. Le Mal\u00e9cot. Mitibox: camouflage and deception for network scan mitigation. In USENIX Workshop on Hot Topics in Security (HotSec), 2009."},{"key":"e_1_3_2_1_52_1","volume-title":"USENIX Security Symposium","author":"Li F.","year":"2016","unstructured":"F. Li, Z. Durumeric, J. Czyz, M. Karami, M. Bailey, D. McCoy, S. Savage, and V. Paxson. You've got vulnerability: Exploring effective vulnerability notifications. In USENIX Security Symposium, 2016."},{"key":"e_1_3_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-33-4922-3_15"},{"key":"e_1_3_2_1_54_1","volume-title":"International Symposium on Foundations and Practice of Security. Springer","author":"Mal\u00e9cot E. L.","year":"2013","unstructured":"E. L. Mal\u00e9cot and D. Inoue. The carna botnet through the lens of a network telescope. In International Symposium on Foundations and Practice of Security. Springer, 2013."},{"key":"e_1_3_2_1_55_1","volume-title":"USENIX Security Symposium","author":"Moore D.","year":"2002","unstructured":"D. Moore. Network telescopes: Observing small or distant security events. In USENIX Security Symposium, 2002."},{"key":"e_1_3_2_1_56_1","volume-title":"Network telescopes: Technical report. Technical report","author":"Moore D.","year":"2004","unstructured":"D. Moore, C. Shannon, G. Voelker, and S. Savage. Network telescopes: Technical report. Technical report, Cooperative Association for Internet Data Analysis (CAIDA), 2004."},{"key":"e_1_3_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/MCOM.2014.6852094"},{"key":"e_1_3_2_1_58_1","volume-title":"ACM","author":"Nawrocki M.","unstructured":"M. Nawrocki, M. Jonker, T. C. Schmidt, and M. W\u00e4hlisch. The far side of DNS amplification: tracing the DDoS attack ecosystem from the Internet core. In ACM"},{"key":"e_1_3_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1109\/CANDARW53999.2021.00065"},{"key":"e_1_3_2_1_60_1","unstructured":"P. Paganini. Multi-vector minertsunami botnet with SSH lateral movement. https:\/\/securityaffairs.co\/wordpress\/111761\/malware\/multi-vector-miner-tsunami-botnet.html. Accessed on 2022-03-14."},{"key":"e_1_3_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1145\/1028788.1028794"},{"key":"e_1_3_2_1_62_1","volume-title":"Ma-licious events grouping via behavior based darknet traffic flow analysis. Wireless Personal Communications, 96(4)","author":"Pang S.","year":"2017","unstructured":"S. Pang, D. Komosny, L. Zhu, R. Zhang, A. Sarrafzadeh, T. Ban, and D. Inoue. Ma-licious events grouping via behavior based darknet traffic flow analysis. Wireless Personal Communications, 96(4), 2017."},{"key":"e_1_3_2_1_63_1","doi-asserted-by":"publisher","DOI":"10.1080\/14786440009463897"},{"key":"e_1_3_2_1_64_1","volume-title":"Honeypot trace forensics: The observation viewpoint matters. Future Generation Computer Systems, 27(5)","author":"Pham V.-H.","year":"2011","unstructured":"V.-H. Pham and M. Dacier. Honeypot trace forensics: The observation viewpoint matters. Future Generation Computer Systems, 27(5), 2011."},{"key":"e_1_3_2_1_65_1","volume-title":"On the advantages of deploying a large scale distributed honeypot platform. In the e-crime and computer evidence conference","author":"Pouget F.","year":"2005","unstructured":"F. Pouget, M. Dacier, V. Pham, et al. On the advantages of deploying a large scale distributed honeypot platform. In the e-crime and computer evidence conference, 2005."},{"key":"e_1_3_2_1_66_1","doi-asserted-by":"publisher","DOI":"10.1145\/3485983.3493347"},{"key":"e_1_3_2_1_67_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-17172-2_11"},{"key":"e_1_3_2_1_68_1","volume-title":"ACM Internet Measurement Conference","author":"Berger P. Richterand A.","year":"2019","unstructured":"P. Richterand A. Berger. Scanningthescanners: Sensing the Internet from amassively distributed network telescope. In ACM Internet Measurement Conference, 2019."},{"key":"e_1_3_2_1_69_1","unstructured":"SHODAN. The search engine for Internet-connected devices. https:\/\/www.shodan.io\/. Accessed on 2021-12-01."},{"key":"e_1_3_2_1_70_1","volume-title":"OSDI","volume":"4","author":"Singh S.","year":"2004","unstructured":"S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In OSDI, volume 4, 2004."},{"key":"e_1_3_2_1_71_1","doi-asserted-by":"publisher","DOI":"10.1109\/LANMAN.2019.8847113"},{"key":"e_1_3_2_1_72_1","article-title":"Inferring and investigating IoT-generated scanning campaigns targeting a large network telescope","author":"Torabi S.","year":"2020","unstructured":"S. Torabi, E. Bou-Harb, C. Assi, E. B. Karbab, A. Boukhtouta, and M. Debbabi. Inferring and investigating IoT-generated scanning campaigns targeting a large network telescope. IEEE Transactions on Dependable and Secure Computing, 2020.","journal-title":"IEEE Transactions on Dependable and Secure Computing"},{"key":"e_1_3_2_1_73_1","volume-title":"USENIX Workshop on Offensive Technologies (WOOT 18)","author":"Vetterl A.","year":"2018","unstructured":"A. Vetterl and R. Clayton. Bitter harvest: Systematically fingerprinting low- and medium-interaction honeypots at Internet scale. In USENIX Workshop on Offensive Technologies (WOOT 18), Baltimore, MD, Aug. 2018. USENIX Association."},{"key":"e_1_3_2_1_74_1","doi-asserted-by":"publisher","DOI":"10.1145\/3419394.3424214"},{"key":"e_1_3_2_1_75_1","doi-asserted-by":"publisher","DOI":"10.1145\/1879141.1879149"}],"event":{"name":"IMC '23: ACM Internet Measurement Conference","location":"Montreal QC Canada","acronym":"IMC '23","sponsor":["SIGCOMM ACM Special Interest Group on Data Communication"]},"container-title":["Proceedings of the 2023 ACM on Internet Measurement Conference"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3618257.3624818","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3618257.3624818","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,8,22]],"date-time":"2025-08-22T13:16:50Z","timestamp":1755868610000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3618257.3624818"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,10,24]]},"references-count":75,"alternative-id":["10.1145\/3618257.3624818","10.1145\/3618257"],"URL":"https:\/\/doi.org\/10.1145\/3618257.3624818","relation":{},"subject":[],"published":{"date-parts":[[2023,10,24]]},"assertion":[{"value":"2023-10-24","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}