Skip to main content
SpringerLink
Log in

Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

  • Published:
Wireless Personal Communications Aims and scope Submit manuscript

Abstract

This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10

Similar content being viewed by others

References

  1. Moore, D., Shannon, C., Brown, D. J., Voelker, G. M., & Savage, S. (2006). Inferring Internet denial-of-service activity. ACM Transactions on Computer Systems, 24, 115–139.

    Article  Google Scholar 

  2. Panjwani, S., Tan, S., Jarrin, K. M. & Cukier, M.(2005). An experimental evaluation to determine if port scans are precursors to an attack. In Proceedings of the international conference on dependable systems and networks, pp. 602–611.

  3. Cooke, E., Jahanian, F., & McPherson, D. (2005). The zombie roundup: Understanding, detecting, and disrupting botnets. Networks, 7, 39–44. http://www.usenix.org/events/sruti05/tech/full_papers/cooke/cooke_html.

  4. Kumar, A., Paxson, V., & Weaver, N. (2005). Exploiting underlying structure for detailed reconstruction of an internet-scale event. In Proceedings of the 5th ACM SIGCOMM conference on Internet measurement—IMC ’05, p. 1. http://portal.acm.org/citation.cfmdoid=1330107.1330150.

  5. Voznak, M., & Safarik, J. (2012). DoS attacks targeting SIP server and improvements of robustness. International Journal of Mathematics and Computers in Simulation, 6(1), 177–184.

    Google Scholar 

  6. Harder, U., Johnson, M. W., Bradley, J. T., & Knottenbelt, W. J. (2006). Observing internet worm and virus attacks with a small network telescope. Electronic Notes in Theoretical Computer Science, 151(3), 47–59.

    Article  Google Scholar 

  7. Staniford, S., Moore, D., Paxson, V., & Weaver, N.(2004). The top speed of flash worms. In WORM’04—Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 33–42. http://www.scopus.com/inward/record.url?eid=2-s2.0-14944380936&partnerID=40&md5=369ee882120c4d95a23f5abd1774e32c.

  8. Francois, J., Festor O., et al. (2006). Tracking global wide configuration errors. In IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation.

  9. Limthong, K., Kensuke, F., & Watanapongse, P. (2008). Wavelet-based unwanted traffic time series analysis. In Proceedings of the 2008 international conference on computer and electrical engineering, ICCEE 2008, pp. 445–449.

  10. Ahmed, E., Clark, A., & Mohay, G. (2009). Effective change detection in large repositories of unsolicited traffic. In Fourth international conference on Internet monitoring and protection. ICIMP’09 (pp. 1–6). IEEE.

  11. Jung, J., Paxson, V., Berger, A. W., & Balakrishnan, H., (2004) Fast portscan detection using sequential hypothesis testing. In 2004 IEEE symposium on security and privacy. 2004. Proceedings (pp. 211–225). IEEE.

  12. Giorgi, G., & Narduzzi, C. (2008). Detection of anomalous behaviors in networks from traffic measurements. IEEE Transactions on Instrumentation and Measurement, 12(57), 2782–2791.

    Article  Google Scholar 

  13. Kanda, Y., Fukuda, K., & Sugawara, T. (2010). A flow analysis for mining traffic anomalies. In 2010 IEEE international conference on communications (ICC) (pp. 1–5). IEEE.

  14. Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., & Hong, J. (2004). A flow-based method for abnormal network traffic detection. In 2004 IEEE/IFIP network operations and management symposium (IEEE Cat. No. 04CH37507), Vol. 1.

  15. Moore, D. (2002). Network Telescopes: Observing small or distant security events. In 11th USENIX Security Symposium, Invited talk. http://www.caida.org/outreach/presentations/2002/usenix_sec/usenix_sec_2002_files/v3_document.htm.

  16. Moore, D., Shannon, C., Voelker, G. M., & Savage, S. (2004). Network telescopes: Technical report. Department of Computer Science and Engineering: University of California, San Diego.

  17. Safarik, J., & Tomala, K. (2013). Automatic analysis of attack data from distributed honeypot network. In Proceedings of SPIE—The International Society for Optical Engineering, Vol. 8755, art., no. 875512.

  18. Irwin, B. (2013). A baseline study of potentially malicious activity across five network telescopes. In 2013 5th international conference on Cyber Conflict (CyCon). http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6568378.

  19. Sutton, M. (2013). Monitoring darknet access to identify malicious activity. US Patent 8,413,238. http://www.google.com/patents/US8413238.

  20. Pang, R., Barford, P., Yegneswaran, V., Paxson, V., & Peterson, L. (2004). Characteristics of internet background radiation. In Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004, pp. 27–40. http://www.scopus.com/inward/record.url?eid=2-s2.0-14944369649&partnerID=40&md5=8ea4c6eadf61c46e52561b896fe2eba9.

  21. Shannon, C., & Moore, D. (2004). The spread of the Witty worm. IEEE Security & Privacy, 2(4), 46–50.

    Article  Google Scholar 

  22. Arkin, O. (1999). Network scanning techniques. Publicom Communications Solutions.

Download references

Acknowledgments

This research is partially supported by STRATUS (Security Technologies Returning Accountability, Trust and User-Centric Services in the Cloud) (https://stratus.org.nz), a science investment project funded by the New Zealand Ministry of Business, Innovation and Employment (MBIE).

Author information

Authors and Affiliations

  1. Department of Computing, Unitec Institute of Technology, Auckland, 1020, New Zealand

    Shaoning Pang, Lei Zhu, Ruibin Zhang & Abdolhossein Sarrafzadeh

  2. Department of Telecommunications, Brno University of Technology, 616 00, Brno, Czech Republic

    Dan Komosny

  3. Cybersecurity Laboratory, National Institute of Information and Communications Technology, Tokyo, 184-0015, Japan

    Tao Ban & Daisuke Inoue

Authors
  1. Shaoning Pang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dan Komosny
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Lei Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Ruibin Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Abdolhossein Sarrafzadeh
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Tao Ban
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Daisuke Inoue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shaoning Pang.

Appendix

Appendix

We calculate the cumulative distribution of packet delay over traffic data sourced from Type I hosts. The result is plotted in Fig. 11. As seen from the figure, the point that cumulative percentage growth curve turns to a steady state matches approximately to 10 s packet delay. This indicates that over 80 % samples’ packet delay is <10 s. Based on this observation, we set MPI as 15 s to ensure that our flow segmentation satisfies (1) small packet delay with good sample coverage; and (2) each flow covers the whole period of an event.

Fig. 11
figure 11

Cumulative distribution of packets delay

Full size image

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Pang, S., Komosny, D., Zhu, L. et al. Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis. Wireless Pers Commun 96, 5335–5353 (2017). https://doi.org/10.1007/s11277-016-3744-4

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11277-016-3744-4

Keywords

Search

Navigation