Skip to main content
SpringerLink
Log in

Port-Piece Embedding for Darknet Traffic Features and Clustering of Scan Attacks

  • Conference paper
  • First Online:
Neural Information Processing (ICONIP 2020)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12533))

Included in the following conference series:

Abstract

With the proliferation of Internet of Things (IoT), the damage brought by cyber-attacks abusing the resources of malware-infected IoT devices is becoming more serious. Darknet monitoring, which constantly observes packets sent from malware-infected hosts to unused IP address space, has been proven effective for countermeasuring indiscriminate cyber-threats. In this paper, we presents a new machine learning scheme to track attack activities and evolving process of infected devices observed on the darknet. First, we perform feature extraction using FastText to explore the underlying correlation between targeted network services as indicated by the destination ports of scanning packets. Then, we employ a nonlinear dimension reduction technique, UMAP, to project hosts into a 2-D embedding space for a visualization purpose. Finally, we perform clustering analysis based on DBSCAN to automatically identify groups of infected hosts with similar attack behaviors. In the experiments, we use a one-month darknet traffic trace collected from a/16 darknet sensor to demonstrate the efficacy of the proposed scheme. We show that groups of Mirai variants, potentially infected by the same botnets, can be successfully detected by the proposed approach. In particular, a Mirai variant targeting vulnerabilities on TCP port 9530 are newly discovered during the observation period.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    A p-piece, a.k.a., p-gram, is a sub-string of length p of a port number considered as a decimal digit string.

References

  1. Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: mirai and other botnets. IEEE Comput. 50, 80–84 (2017)

    Article  Google Scholar 

  2. National Institute of Information and Communications Technology: NICTER observation report 2019 (2019). https://www.nict.go.jp/cyber/report/NICTER_report_2019.pdf. Accessed 20 June 2020

  3. Buzak, L.A., Erhan, G.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18, 1153–1176 (2016)

    Article  Google Scholar 

  4. Ozawa, S., Ban, T., Hashimoto, N., Nakazato, J., Shimamura, J.: A study of IoT malware activities using association rule learning for darknet sensor data. Int. J. Inf. Secur. 19, 83–92 (2020). https://doi.org/10.1007/s10207-019-00439-w

    Article  Google Scholar 

  5. Ring, M., Dallmann, A., Landes, D., Hotho, A.: IP2Vec: learning similarities between IP addresses. In: IEEE International Conference on Data Mining Workshops (ICDMW) (2017)

    Google Scholar 

  6. Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv:1301.3781 (2013)

  7. Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: Enriching word vectors with subword information. Trans. Assoc. Comput. Linguist. 5, 135–146 (2017)

    Article  Google Scholar 

  8. Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: UMAP: uniform manifold approximation and projection for dimension reduction. arXiv:1802.03426 (2018)

  9. Ester, M., Kriegel, P.H., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: KDD 1996: Proceedings of the Second International Conference on Knowledge Discovery and Data Mining, pp. 226–231 (1996)

    Google Scholar 

  10. Ramos, J.: Using TF-IDF to determine word relevance in document queries (2003)

    Google Scholar 

  11. Mikolov, T., Sutskever, I., Chen, K., Corrado, G., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, vol. 26 (2013)

    Google Scholar 

  12. National Institute of Information and Communications Technology: NICTER blog. https://blog.nicter.jp/. Accessed 20 June 2020

Download references

Acknowledgement

This research is supported by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Scientific Research (B) 16H02874 and the Commissioned Research of National Institute of Information and Communications Technology (NICT), JAPAN. The authors thank Mr. Jumpei Shimamura (clwit Inc.) for his valuable suggestions on cyber-attack monitoring.

Author information

Authors and Affiliations

  1. Graduate School of Engineering, Kobe University, Kobe, Japan

    Shintaro Ishikawa & Seiichi Ozawa

  2. Center for Mathematical and Data Sciences, Kobe University, Kobe, Japan

    Seiichi Ozawa

  3. National Institute of Information and Communications Technology, Tokyo, Japan

    Tao Ban

Authors
  1. Shintaro Ishikawa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seiichi Ozawa
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Tao Ban
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Seiichi Ozawa .

Editor information

Editors and Affiliations

  1. Department of AI, Ping An Life, Shenzhen, China

    Haiqin Yang

  2. Faculty of Information Technology, King Mongkut’s Institute of Technology Ladkrabang, Bangkok, Thailand

    Kitsuchart Pasupa

  3. City University of Hong Kong, Kowloon, China

    Andrew Chi-Sing Leung

  4. Department of Computer Science and Engineering, Hong Kong University of Science and Technology, Hong Kong, Hong Kong

    James T. Kwok

  5. School of Information Technology, King Mongkut’s University of Technology Thonburi, Bangkok, Thailand

    Jonathan H. Chan

  6. The Chinese University of Hong Kong, New Territories, Hong Kong

    Irwin King

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ishikawa, S., Ozawa, S., Ban, T. (2020). Port-Piece Embedding for Darknet Traffic Features and Clustering of Scan Attacks. In: Yang, H., Pasupa, K., Leung, A.CS., Kwok, J.T., Chan, J.H., King, I. (eds) Neural Information Processing. ICONIP 2020. Lecture Notes in Computer Science(), vol 12533. Springer, Cham. https://doi.org/10.1007/978-3-030-63833-7_50

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-63833-7_50

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-63832-0

  • Online ISBN: 978-3-030-63833-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation