Abstract
Recently, the community is recognizing to an importance of network vulnerability. Also, through the using this vulnerability, attackers can acquire the information of vulnerable users. Therefore, many researchers have been studying about a countermeasure of network vulnerabillty. In recent, the darknet is a received attention to research for detecting action of attackers. The means of darknet are formed a set of unused IP addresses and no real systems of connect to the darknet. In this paper, we proposed an using darknet for the detecting black IPs. So, it was choosen to classification and analysis through source IP of daily darknet traffic. The proposed method prepared 8,192 destination IP addresses in darknet space and collected the darknet traffic during 1 months. It collected total 277,002,257 in 2016, August. An applied results of the proposed process were seen for an effectiveness of pre-detection for real attacks.
Similar content being viewed by others
Keywords
1 Introduction
The Internet is an important infra resource that it controls the economy and society of our country. Also, it is a providing convenience and an efficiency of the everyday life. But, the Internet for developed part of everyday life is threatened through an intelligent and an advanced various attacks. Therefore, a detection of black IP is important. The black IP is known for a result of malicious action of attacker. Because, it have an effectiveness of pre-detection for real attacks. So, many researchers have been studying about the countermeasure [1,2,3,4,5,6,7]. But, these research take disadvantage of high cost, detection time, difficulty of management, etc. Therefore, in this paper focus on the detection of black IP. Because, it take advantage of low cost, easily and early detection. So, the early detection time is important compared with a detection time of antivirus solutions. In this paper, a proposed method is an using source IPs in the collected darknet packets.
We propose for how to detect black IP using for classification and analysis through source IPs of daily darknet traffic. The main contribution of proposed process is an early detection for sign of attacks. The proposed process prepared 8,192 destination IP addresses in darknet space and collected the darknet traffic during 2016, August. These collected the number of darknet packets 277,002,257 and unique source IPs 8,392,962. Case of an using to monthly duplicate IPs, black IPs were predicted 18 of total 34. It is percentage of 52.94%.
The rest of paper is organized as follows. In Sect. 2, we give a brief description of existing approaches related to the darknet system. In Sect. 3, we present the proposed process and the experimental results are given in Sect. 4. Finally, we explain conclusions for given advantages in Sect. 5.
2 Related Work
Recently, many researchers have been studying about the darknet. An analysis of darknet traffic consist of two methods to classification of traffic and pattern search through analyzed traffic. In this paper targets to classification of darknet traffic. The darknet has been used for studying and developing the countermeasures against malicious activities on the Internet. Among them, three popular systems were proposed in Refs. [1,2,3].
Many studies have been devoted to characterizing common anomalous events in the darknet. [8] is a combined method of IDS and darknet, [9] is a how to collect darknet traffic. Also, darknet have massive data. Therefore, recently statistical analysis is important [10], method of [11] classify the darknet traffic either normal or abnormal.
3 Proposed Process
3.1 All Kinds of Collected Darknet Packets
The common kinds of collected darknet packets are composed of scanning packets, real attack packets, misconfiguration packets, etc. Firstly, the scanning packets are equal to a pre-investigation for real attacks. Also, the network scanning is constituted for a majority of darknet data. The scanning activities are the result of reconnaissance and DRDoS activities. Attackers scan the Internet to identify vulnerabilities and running services with an intent to compromise them. Secondly, we could detect packets of real attack through known patterns. Therefore, trends and patterns for a some attack were identified. Finally, the misconfiguration packets are occurred by errors and data management in network communications. Users often can enter an composing wrong IP address and port information in a network environment. In practice, these errors were observed that deployed networks suffer from well known errors and faulty configuration. As a result, the scanning packets and the real attack packets are taken for a large percentage of darknet packets.
3.2 Proposed Method
We need to choose one of various darknet information due to need for choice and concentration. Actually, the darknet information is composed to such as source IP, source port, destination IP, destination port, payload, event time, etc. Consequently, this paper have chosen focusing on source IPs in the darknet packets. Therefore, we chose top 10 of source IPs of daily detected packets. Because, the more inflow packets by the detected source IPs is, the more high probability of malicious actions is. Also, this paper is initial phase to verify efectiveness of the proposed method. So, if we change a setup like a period and a number of source IPs, then it can be generated for another results. Figure 1 shows an overall proposed process.
An overall proposed process
A main idea of detecting black IPs
The VirusTotal could provides verification results of various antivirus solutions. So, the chosen top 10 of source IPs are analyzed through VirusTotal site either malicious or normal IPs. And then, we make a comparison between a detection day by VirusTotal and a collected day of darknet packets. Finally, if a day of detected source IP was before a detection day by VirusTotal, then we can early know a malicious IP through darknet. Figure 2 shows a main idea of detecting black IPs.
4 Experimental Results
We show real experimental results of the proposed process. The proposed process prepared the 8,192 destination IP addresses in darknet space and the collected the darknet traffic in 2016, August. These collected the number of darknet packets 277,002,257 and unique source IPs 8,392,962.
The number of malicious IPs to daily duplicate IPs
An analyzed result by VirusTotal, the experimental results focus on a daily source IPs in August. Figure 3 shows the number of malicious IPs to daily duplicate IPs. Figure 4 shows the number of malicious IPs to monthly duplicate IPs. Previously mentioned, daily duplicate IPs are an independent IP of each day. Also, monthly duplicate IPs are an independent IP of each month.
The number of malicious IPs to monthly duplicate IPs
In the results, the daily duplicate IPs are total 142. Also, the monthly duplicate IPs are total 34. Therefore, the experimental results can be changed by the period and the number of source IPs. Table 1 shows an one result of daily source IPs in August.
The VirusTotal results are detected malicious IPs through Latest detected URLs, Latest detected files that were downloaded from this IP address, Latest Detected Files that communicate with this IP address, etc. So, if many antivirus solutions could decide malicious IPs then we can get confidence results. In the result, daily duplicate IPs are predicted 111 of total 142. It is percentage of 72.17%. Monthly duplicate IPs are predicted 18 of total 34. It is percentage of 52.94%. Therefore, experimental results can be changed depend on the selection of duplicate IPs.
Additionally, if we have been analyze a lengthy period of time then we can get another results. For example, case of focus on monthly source IPs, Table 2 shows a top 10 source IPs in Aug, 2016. In the result, we could know in advance 3(rank 1, 3, 6) of 4 malicious IPs(rank 1, 3, 6, 8).
5 Conclusions
We proposed practical classification and analysis through using darknet information. Also, an using the real darknet data, it find for a detecting black IPs. But, an analysis of darknet packets is a difficulty handling about overfull data. So, it can get confidence results by top 10 source IPs thereby choice and concentration. On the basis of statistical analysis, we focus on the source IPs in the darknet packets. Also, through experimental results, if we have been analyze a lengthy period of time then we can get improved results. Applying to security control, malicious and suspicious IPs must have managed and duplicate IPs must have managed. Because, suspicious IPs will be detected malicious IPs. If condition of proposed process is changed such as period of time, day, week, month, etc. and top 10, top 50, top 100, etc. then results can be changed. Therefore, optimal conditions can be found through a various experiment. It need to a various combination of conditions. As a result, if applying to security control system, then it will be improve efficiency and accuracy.
References
Moore, D., Shannon, C., Voelker, G., Savage, S.: Network telescopes. Technical report, CAIDA (2004)
Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004). doi:10.1007/978-3-540-30143-1_8
Cooke, E., Bailey, M., Watson, D., Jahanian, F., Nazario, J.: The internet motion sensor-a distributed blackhole monitoring system. In: NDSS 2005, pp. 167–179 (2005)
Spitzner, L.: The Honeynet project: trapping the hackers. Mag. Secur. Priv. 99, 15–23 (2003)
Abbasi, F.H., Harris, R.J.: Experiences with a generation III virtual Honeynet. In: Telecommunication Networks and Applications Conference 2009, pp. 1–6. IEEE Press (2009)
Kim, H.S., Choi, S.-S., Song, J.: A methodology for multipurpose DNS Sinkhole analyzing double bounce emails. In: Lee, M., Hirose, A., Hou, Z.-G., Kil, R.M. (eds.) ICONIP 2013. LNCS, vol. 8226, pp. 609–616. Springer, Heidelberg (2013). doi:10.1007/978-3-642-42054-2_76
Lee, H.-G., Choi, S.-S., Lee, Y.-S., Park, H.-S.: Enhanced Sinkhole system by improving post-processing mechanism. In: Kim, T., Lee, Y., Kang, B.-H., Ślęzak, D. (eds.) FGIT 2010. LNCS, vol. 6485, pp. 469–480. Springer, Heidelberg (2010). doi:10.1007/978-3-642-17569-5_46
Choi, S., Kim, S., Park, H.: A fusion framework of IDS alerts and darknet traffic for effective incident monitoring and response. Appl. Math. Inf. Sci. 11, 417–422 (2017)
Song, J., Choi, J.-W., Choi, S.-S.: A malware collection and analysis framework based on darknet traffic. In: Huang, T., Zeng, Z., Li, C., Leung, C.S. (eds.) ICONIP 2012. LNCS, vol. 7664, pp. 624–631. Springer, Heidelberg (2012). doi:10.1007/978-3-642-34481-7_76
Choi, S., Song, J., Kim, S., Kim, S.: A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic. Secur. Commun. Netw. 7, 1612–1621 (2013)
Ko, S., Kim, K., Lee, Y., Song, J.: A classification method of darknet traffic for advanced security monitoring and response. In: Loo, C.K., Yap, K.S., Wong, K.W., Beng Jin, A.T., Huang, K. (eds.) ICONIP 2014. LNCS, vol. 8836, pp. 357–364. Springer, Cham (2014). doi:10.1007/978-3-319-12643-2_44
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Park, J., Choi, J., Song, J. (2017). Detecting Black IP Using for Classification and Analysis Through Source IP of Daily Darknet Traffic. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, ES. (eds) Neural Information Processing. ICONIP 2017. Lecture Notes in Computer Science(), vol 10638. Springer, Cham. https://doi.org/10.1007/978-3-319-70139-4_43
Download citation
DOI: https://doi.org/10.1007/978-3-319-70139-4_43
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-70138-7
Online ISBN: 978-3-319-70139-4
eBook Packages: Computer ScienceComputer Science (R0)