Recently, the explosive increase in the number of IoT devices makes the IoT becomes extremely large-scaled, and the security of such a large scale IoT emerges as a big challenge. As a classic security technique, the port scan is widely used around the world. However, as IP resources are limited, a large number of devices are located in the LAN or WLAN behind the NAT which cannot be directly accessed by the port scanner. Furthermore, port scanning generated a tremendous number of probe and response packets which may cause heavy traffic load and frequent congestion. To conquer those problems, in this article, we first propose a reverse proxy based NAT penetration system for scanning ports behind NAT. Based on the NAT penetration system, we proposed a probe delay based adaptive scanning algorithm referred to as ProDASA, which adaptively changes port scanning frequency and scanning methods to balance the network performance and security requirements of the IoT. The experiment in a real environment demonstrates the feasibility of the proposed NAT penetration system and the computational simulation with multiple virtual devices shows the advantage of our proposed ProDASA in terms of both network performance and security by comparing with a conventional method.

中文翻译：

---

基于探测延迟的自适应端口扫描，用于 NAT 后具有私有 IP 地址的物联网设备


近年来，物联网设备数量的爆炸式增长使得物联网变得极其大规模，如此大规模的物联网的安全性成为一个巨大的挑战。端口扫描作为一种经典的安全技术，在全球范围内得到广泛应用。然而，由于IP资源有限，大量设备位于NAT后面的LAN或WL​​AN中，端口扫描器无法直接访问这些设备。此外，端口扫描会产生大量的探测和响应数据包，可能会导致流量负载过大和频繁拥塞。为了克服这些问题，在本文中，我们首先提出了一种基于反向代理的 NAT 渗透系统，用于扫描 NAT 后面的端口。基于NAT穿透系统，我们提出了一种基于探测延迟的自适应扫描算法（ProDASA），该算法自适应地改变端口扫描频率和扫描方法，以平衡物联网的网络性能和安全要求。真实环境中的实验证明了所提出的 NAT 穿透系统的可行性，并且与传统方法相比，使用多个虚拟设备的计算模拟表明了我们提出的 ProDASA 在网络性能和安全性方面的优势。