US Patent 11316872 Malicious port scan detection using port profiles

Methods, apparatus and computer software products implement embodiments of the present invention that include defining, for a given software category, respective, disjoint sets of communication ports that are used by each of a plurality of software systems in the given software category, including at least first and second disjoint sets. A set of port scans are identified in data traffic transmitted between multiple nodes that communicate over a network, each of the port scans including an access, in the data traffic, of a plurality of the communication ports on a given destination node by a given source node during a predefined time period. Upon detecting a port scan by one of the nodes including accesses of at least one of the communication ports in the first set and at least one of the communication ports in the second set, a preventive action is initiated.