Abstract
With the proliferation of Internet of Things (IoT), the damage brought by cyber-attacks abusing the resources of malware-infected IoT devices is becoming more serious. Darknet monitoring, which constantly observes packets sent from malware-infected hosts to unused IP address space, has been proven effective for countermeasuring indiscriminate cyber-threats. In this paper, we presents a new machine learning scheme to track attack activities and evolving process of infected devices observed on the darknet. First, we perform feature extraction using FastText to explore the underlying correlation between targeted network services as indicated by the destination ports of scanning packets. Then, we employ a nonlinear dimension reduction technique, UMAP, to project hosts into a 2-D embedding space for a visualization purpose. Finally, we perform clustering analysis based on DBSCAN to automatically identify groups of infected hosts with similar attack behaviors. In the experiments, we use a one-month darknet traffic trace collected from a/16 darknet sensor to demonstrate the efficacy of the proposed scheme. We show that groups of Mirai variants, potentially infected by the same botnets, can be successfully detected by the proposed approach. In particular, a Mirai variant targeting vulnerabilities on TCP port 9530 are newly discovered during the observation period.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
A p-piece, a.k.a., p-gram, is a sub-string of length p of a port number considered as a decimal digit string.
References
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: mirai and other botnets. IEEE Comput. 50, 80–84 (2017)
National Institute of Information and Communications Technology: NICTER observation report 2019 (2019). https://www.nict.go.jp/cyber/report/NICTER_report_2019.pdf. Accessed 20 June 2020
Buzak, L.A., Erhan, G.: A survey of data mining and machine learning methods for cyber security intrusion detection. IEEE Commun. Surv. Tutor. 18, 1153–1176 (2016)
Ozawa, S., Ban, T., Hashimoto, N., Nakazato, J., Shimamura, J.: A study of IoT malware activities using association rule learning for darknet sensor data. Int. J. Inf. Secur. 19, 83–92 (2020). https://doi.org/10.1007/s10207-019-00439-w
Ring, M., Dallmann, A., Landes, D., Hotho, A.: IP2Vec: learning similarities between IP addresses. In: IEEE International Conference on Data Mining Workshops (ICDMW) (2017)
Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv:1301.3781 (2013)
Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: Enriching word vectors with subword information. Trans. Assoc. Comput. Linguist. 5, 135–146 (2017)
Bojanowski, P., Grave, E., Joulin, A., Mikolov, T.: UMAP: uniform manifold approximation and projection for dimension reduction. arXiv:1802.03426 (2018)
Ester, M., Kriegel, P.H., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: KDD 1996: Proceedings of the Second International Conference on Knowledge Discovery and Data Mining, pp. 226–231 (1996)
Ramos, J.: Using TF-IDF to determine word relevance in document queries (2003)
Mikolov, T., Sutskever, I., Chen, K., Corrado, G., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, vol. 26 (2013)
National Institute of Information and Communications Technology: NICTER blog. https://blog.nicter.jp/. Accessed 20 June 2020
Acknowledgement
This research is supported by the Ministry of Education, Science, Sports and Culture, Grant-in-Aid for Scientific Research (B) 16H02874 and the Commissioned Research of National Institute of Information and Communications Technology (NICT), JAPAN. The authors thank Mr. Jumpei Shimamura (clwit Inc.) for his valuable suggestions on cyber-attack monitoring.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Ishikawa, S., Ozawa, S., Ban, T. (2020). Port-Piece Embedding for Darknet Traffic Features and Clustering of Scan Attacks. In: Yang, H., Pasupa, K., Leung, A.CS., Kwok, J.T., Chan, J.H., King, I. (eds) Neural Information Processing. ICONIP 2020. Lecture Notes in Computer Science(), vol 12533. Springer, Cham. https://doi.org/10.1007/978-3-030-63833-7_50
Download citation
DOI: https://doi.org/10.1007/978-3-030-63833-7_50
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-63832-0
Online ISBN: 978-3-030-63833-7
eBook Packages: Computer ScienceComputer Science (R0)