Abstract
This paper proposes a traffic decomposition approach called UnitecDEAMP based on flow feature profiling to distinct groups of significant malicious events from background noise in massive historical darknet traffic. Specifically, we segment and extract traffic flows from captured darknet data, categorize the flows according to sets of criteria derived from our traffic behavior assessments. Those criteria will be validated through the followed correlation analysis to guarantee that any redundant criteria be eliminated. Significant events are appraised by combined criteria filtering, including significance regarding volume, significance in terms of time series occurrence and significance regarding variation. To demonstrate the effectiveness of our UnitecDEAMP, real world darknet traffic data sets with twelve months are used for conducting our empirical study. The experimental results show that UnitecDEAMP can effectively select the most significant malicious events.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Agarwal, R., Joshi, M.V.: PNrule: a new framework for learning classifier models in data mining (a case-study in network intrusion detection). In: SIAM (2000)
Alsaleh, M., Barrera, D., van Oorschot, P.C.: Improving security visualization with exposure map filtering. In: Computer Security Applications Conference, ACSAC 2008, Annual, pp. 205–214. IEEE (2008)
Alsaleh, M., van Oorschot, P.C.: Network scan detection with LQS: a lightweight, quick and stateful algorithm. In: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 102–113. ACM (2011)
Claffy, K.C., Braun, H.W., Polyzos, G.C.: A parameterizable methodology for internet traffic flow profiling. IEEE J. Sel. Areas Commun. 13(8), 1481–1494 (1995)
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: Understanding, detecting, and disrupting botnets. SRUTI 5, 6 (2005)
Francois, J., Festor, O., et al.: Tracking global wide configuration errors. In: IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (2006)
Harder, U., Johnson, M.W., Bradley, J.T., Knottenbelt, W.J.: Observing internet worm and virus attacks with a small network telescope. Electron. Notes Theor. Comput. Sci. 151(3), 47–59 (2006)
Irwin, B.: A baseline study of potentially malicious activity across five network telescopes. In: 5th International Conference on Cyber Conflict (CyCon), 2013, pp. 1–17. IEEE (2013)
Kim, M., Kong, H., Hong, S., Chung, S., Hong, J.: A flow-based method for abnormal network traffic detection. In: IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507), vol. 1 (2004)
Kumar, A., Paxson, V., Weaver, N.: Exploiting underlying structure for detailed reconstruction of an internet-scale event. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement - IMC 2005, p. 1 (2005). http://portal.acm.org/citation.cfm?doid=1330107.1330150
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: ACM SIGCOMM Computer Communication Review, vol. 35, pp. 217–228. ACM (2005)
Moore, D.: Network telescopes: observing small or distant security events. In: Proceedings of the 11th USENIX Security Symposium, pp. 167–174 (2002)
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet denial-of-service activity. ACM Trans. Comput. Syst. 24, 115–139 (2006)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes: Technical report. Department of Computer Science and Engineering, University of California, San Diego (2004)
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, pp. 27–40. ACM (2004)
Panjwani, S., Tan, S., Jarrin, K.M., Cukier, M.: An experimental evaluation to determine if port scans are precursors to an attack. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 602–611 (2005)
Salem, O., Vaton, S., Gravey, A.: A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice. Int. J. Network Manage. 20(5), 271–293 (2010)
Shannon, C., Moore, D.: The spread of the Witty worm (2004)
Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 33–42. ACM (2004)
Zhang, R., Zhu, L., Li, X., Pang, S., Sarrafzadeh, A., Komosny, D.: Behavior based darknet traffic decomposition for malicious events identification. In: Arik, S., Huang, T., Lai, W.K., Liu, Q. (eds.) ICONIP 2015. LNCS, vol. 9491, pp. 251–260. Springer, Cham (2015). doi:10.1007/978-3-319-26555-1_29
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhang, R., Yang, C., Pang, S., Sarrafzadeh, H. (2017). UnitecDEAMP: Flow Feature Profiling for Malicious Events Identification in Darknet Space. In: Batten, L., Kim, D., Zhang, X., Li, G. (eds) Applications and Techniques in Information Security. ATIS 2017. Communications in Computer and Information Science, vol 719. Springer, Singapore. https://doi.org/10.1007/978-981-10-5421-1_13
Download citation
DOI: https://doi.org/10.1007/978-981-10-5421-1_13
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-10-5420-4
Online ISBN: 978-981-10-5421-1
eBook Packages: Computer ScienceComputer Science (R0)