A Darknet Traffic Analysis for IoT Malwares Using Association Rule Learning

Abstract

In this paper, we report an interesting observation of the darknet traffic before the source code of IoT malware Mirai was first opened on September 7th 2016. In our darknet analysis, the frequent pattern mining and the association rule learning were performed to a large set of TCP SYN packets collected from July 1st 2016 to September 15th 2016 with the NICT/16 darknet sensor. The number of collected packets is 1,840,973,403 packets in total which were sent from 17,928,006 unique hosts. In this study, we focus on the frequently appeared combinations of “window sizes” in TCP headers. We successfully extracted a certain number of frequent patters and association rules on window sizes, and we specified source hosts that sent out SYN packets matched with either of the extracted rules. In addition, we show that almost all such hosts sent SYN packets satisfying the three conditions known from the source code of Mirai. Such hosts started their scan activities from August 2nd 2016, and ended on September 4th 2016 (i.e., 3 days before the source code was opened).