Nightlights: Entropy-Based Metrics for Classifying Darkspace Traffic Patterns

Zseby, Tanja; Brownlee, Nevil; King, Alistair; claffy, kc

doi:10.1007/978-3-319-04918-2_30

Nightlights: Entropy-Based Metrics for Classifying Darkspace Traffic Patterns

Tanja Zseby¹⁸,
Nevil Brownlee^19,20,
Alistair King²⁰ &
…
kc claffy²⁰

Conference paper

1946 Accesses
6 Citations

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 8362))

Abstract

An IP darkspace is a globally routed IP address space with no active hosts. All traffic destined to darkspace addresses is unsolicited and often originates from network scanning or attacks. A sudden increases of different types of darkspace traffic can serve as indicator of new vulnerabilities, misconfigurations or large scale attacks. In our analysis we take advantage of the fact that darkspace traffic typically originates from processes that use randomly chosen addresses or ports (e.g. scanning) or target a specific address or port (e.g. DDoS, worm spreading). These behaviors induce a concentration or dispersion in feature distributions of the resulting traffic aggregate and can be distinguished using entropy as a compact representation. Its lightweight, unambiguous, and privacy-compatible character makes entropy a suitable metric that can facilitate early warning capabilities, operational information exchange among network operators, and comparison of analysis results among a network of distributed IP darkspaces.

This is a preview of subscription content, log in via an institution.

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

Aben, E.: Conficker/Conflicker/Downadup as seen from the UCSD Network Telescope. Technical report, CAIDA (February 2009)
Google Scholar
Brownlee, N.: One-way traffic monitoring with iatmon. In: Taft, N., Ricciato, F. (eds.) PAM 2012. LNCS, vol. 7192, pp. 179–188. Springer, Heidelberg (2012)
Chapter Google Scholar
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies Using Traffic Feature Distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)
Article Google Scholar

Download references

Author information

Authors and Affiliations

Vienna University of Technology, 1240, Vienna, Austria
Tanja Zseby
University of Auckland, Auckland, 1010, New Zealand
Nevil Brownlee
CAIDA, UC San Diego, CA, 92093, USA
Nevil Brownlee, Alistair King & kc claffy

Authors

Tanja Zseby
View author publications
You can also search for this author in PubMed Google Scholar
Nevil Brownlee
View author publications
You can also search for this author in PubMed Google Scholar
Alistair King
View author publications
You can also search for this author in PubMed Google Scholar
kc claffy
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Computer Science Department, University of New Mexico, Engineering Building II, 87131, Albuquerque, NM, USA
Michalis Faloutsos
EECS Department, Northwestern University, 2145 Sheridan Road, 60208, Evanston, IL, USA
Aleksandar Kuzmanovic

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Zseby, T., Brownlee, N., King, A., claffy, k. (2014). Nightlights: Entropy-Based Metrics for Classifying Darkspace Traffic Patterns. In: Faloutsos, M., Kuzmanovic, A. (eds) Passive and Active Measurement. PAM 2014. Lecture Notes in Computer Science, vol 8362. Springer, Cham. https://doi.org/10.1007/978-3-319-04918-2_30

Download citation

DOI: https://doi.org/10.1007/978-3-319-04918-2_30
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-04917-5
Online ISBN: 978-3-319-04918-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics