Abstract
This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.
Similar content being viewed by others
References
Moore, D., Shannon, C., Brown, D. J., Voelker, G. M., & Savage, S. (2006). Inferring Internet denial-of-service activity. ACM Transactions on Computer Systems, 24, 115–139.
Panjwani, S., Tan, S., Jarrin, K. M. & Cukier, M.(2005). An experimental evaluation to determine if port scans are precursors to an attack. In Proceedings of the international conference on dependable systems and networks, pp. 602–611.
Cooke, E., Jahanian, F., & McPherson, D. (2005). The zombie roundup: Understanding, detecting, and disrupting botnets. Networks, 7, 39–44. http://www.usenix.org/events/sruti05/tech/full_papers/cooke/cooke_html.
Kumar, A., Paxson, V., & Weaver, N. (2005). Exploiting underlying structure for detailed reconstruction of an internet-scale event. In Proceedings of the 5th ACM SIGCOMM conference on Internet measurement—IMC ’05, p. 1. http://portal.acm.org/citation.cfmdoid=1330107.1330150.
Voznak, M., & Safarik, J. (2012). DoS attacks targeting SIP server and improvements of robustness. International Journal of Mathematics and Computers in Simulation, 6(1), 177–184.
Harder, U., Johnson, M. W., Bradley, J. T., & Knottenbelt, W. J. (2006). Observing internet worm and virus attacks with a small network telescope. Electronic Notes in Theoretical Computer Science, 151(3), 47–59.
Staniford, S., Moore, D., Paxson, V., & Weaver, N.(2004). The top speed of flash worms. In WORM’04—Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 33–42. http://www.scopus.com/inward/record.url?eid=2-s2.0-14944380936&partnerID=40&md5=369ee882120c4d95a23f5abd1774e32c.
Francois, J., Festor O., et al. (2006). Tracking global wide configuration errors. In IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation.
Limthong, K., Kensuke, F., & Watanapongse, P. (2008). Wavelet-based unwanted traffic time series analysis. In Proceedings of the 2008 international conference on computer and electrical engineering, ICCEE 2008, pp. 445–449.
Ahmed, E., Clark, A., & Mohay, G. (2009). Effective change detection in large repositories of unsolicited traffic. In Fourth international conference on Internet monitoring and protection. ICIMP’09 (pp. 1–6). IEEE.
Jung, J., Paxson, V., Berger, A. W., & Balakrishnan, H., (2004) Fast portscan detection using sequential hypothesis testing. In 2004 IEEE symposium on security and privacy. 2004. Proceedings (pp. 211–225). IEEE.
Giorgi, G., & Narduzzi, C. (2008). Detection of anomalous behaviors in networks from traffic measurements. IEEE Transactions on Instrumentation and Measurement, 12(57), 2782–2791.
Kanda, Y., Fukuda, K., & Sugawara, T. (2010). A flow analysis for mining traffic anomalies. In 2010 IEEE international conference on communications (ICC) (pp. 1–5). IEEE.
Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., & Hong, J. (2004). A flow-based method for abnormal network traffic detection. In 2004 IEEE/IFIP network operations and management symposium (IEEE Cat. No. 04CH37507), Vol. 1.
Moore, D. (2002). Network Telescopes: Observing small or distant security events. In 11th USENIX Security Symposium, Invited talk. http://www.caida.org/outreach/presentations/2002/usenix_sec/usenix_sec_2002_files/v3_document.htm.
Moore, D., Shannon, C., Voelker, G. M., & Savage, S. (2004). Network telescopes: Technical report. Department of Computer Science and Engineering: University of California, San Diego.
Safarik, J., & Tomala, K. (2013). Automatic analysis of attack data from distributed honeypot network. In Proceedings of SPIE—The International Society for Optical Engineering, Vol. 8755, art., no. 875512.
Irwin, B. (2013). A baseline study of potentially malicious activity across five network telescopes. In 2013 5th international conference on Cyber Conflict (CyCon). http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6568378.
Sutton, M. (2013). Monitoring darknet access to identify malicious activity. US Patent 8,413,238. http://www.google.com/patents/US8413238.
Pang, R., Barford, P., Yegneswaran, V., Paxson, V., & Peterson, L. (2004). Characteristics of internet background radiation. In Proceedings of the 2004 ACM SIGCOMM Internet Measurement Conference, IMC 2004, pp. 27–40. http://www.scopus.com/inward/record.url?eid=2-s2.0-14944369649&partnerID=40&md5=8ea4c6eadf61c46e52561b896fe2eba9.
Shannon, C., & Moore, D. (2004). The spread of the Witty worm. IEEE Security & Privacy, 2(4), 46–50.
Arkin, O. (1999). Network scanning techniques. Publicom Communications Solutions.
Acknowledgments
This research is partially supported by STRATUS (Security Technologies Returning Accountability, Trust and User-Centric Services in the Cloud) (https://stratus.org.nz), a science investment project funded by the New Zealand Ministry of Business, Innovation and Employment (MBIE).
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
We calculate the cumulative distribution of packet delay over traffic data sourced from Type I hosts. The result is plotted in Fig. 11. As seen from the figure, the point that cumulative percentage growth curve turns to a steady state matches approximately to 10 s packet delay. This indicates that over 80 % samples’ packet delay is <10 s. Based on this observation, we set MPI as 15 s to ensure that our flow segmentation satisfies (1) small packet delay with good sample coverage; and (2) each flow covers the whole period of an event.
Rights and permissions
About this article
Cite this article
Pang, S., Komosny, D., Zhu, L. et al. Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis. Wireless Pers Commun 96, 5335–5353 (2017). https://doi.org/10.1007/s11277-016-3744-4
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11277-016-3744-4