Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and Characterization

Today, the Internet security community largely emphasizes cyberspace monitoring for the purpose of generating cyber intelligence. In this paper, we present a survey on darknet. The latter is an effective approach to observe Internet activities and cyber attacks via passive monitoring. We primarily define and characterize darknet and indicate its alternative names. We further list other trap-based monitoring systems and compare them to darknet. Moreover, in order to provide realistic measures and analysis of darknet information, we report case studies, namely, Conficker worm in 2008 and 2009, Sality SIP scan botnet in 2011, and the largest amplification attack in 2014. Finally, we provide a taxonomy in relation to darknet technologies and identify research gaps that are related to three main darknet categories: deployment, traffic analysis, and visualization. Darknet projects are found to monitor various cyber threat activities and are distributed in one third of the global Internet. We further identify that Honeyd is probably the most practical tool to implement darknet sensors, and future deployment of darknet will include mobile-based VOIP technology. In addition, as far as darknet analysis is considered, computer worms and scanning activities are found to be the most common threats that can be investigated throughout darknet; Code Red and Slammer/Sapphire are the most analyzed worms. Furthermore, our study uncovers various lacks in darknet research. For instance, less than 1% of the contributions tackled distributed reflection denial of service (DRDoS) amplification investigations, and at most 2% of research works pinpointed spoofing activities. Last but not least, our survey identifies specific darknet areas, such as IPv6 darknet, event monitoring, and game engine visualization methods that require a significantly greater amount of attention from the research community.

[1]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[2]  Robin Berthier,et al.  The Deployment of a Darknet on an Organization-Wide Network: An Empirical Analysis , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.

[3]  Yan Chen,et al.  Botnet Research Survey , 2008, 2008 32nd Annual IEEE International Computer Software and Applications Conference.

[4]  Shigeki Goto,et al.  Extended Darknet: Multi-Dimensional Internet Threat Monitoring System , 2012, IEICE Trans. Commun..

[5]  Steven M. Bellovin,et al.  There Be Dragons , 1992, USENIX Summer.

[6]  Marc Dacier,et al.  A framework for attack patterns' discovery in honeynet data , 2008 .

[7]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[8]  R. Felder,et al.  Learning and Teaching Styles in Engineering Education. , 1988 .

[9]  Vern Paxson,et al.  Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.

[10]  Steven M. Bellovin,et al.  Packets found on an internet , 1993, CCRV.

[11]  Marc Dacier,et al.  ScriptGen: an automated script generation tool for Honeyd , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[12]  Barry Irwin,et al.  High Level Internet Scale Traffic Visualization Using Hilbert Curve Mapping , 2007, VizSEC.

[13]  Nick Feamster,et al.  Understanding the network-level behavior of spammers , 2006, SIGCOMM 2006.

[14]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[15]  Somesh Jha,et al.  Global Intrusion Detection in the DOMINO Overlay System , 2004, NDSS.

[16]  Kensuke Fukuda,et al.  An image processing approach to traffic anomaly detection , 2008, AINTEC '08.

[17]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[18]  TowsleyDon,et al.  The monitoring and early detection of internet worms , 2005 .

[19]  K. Limthong,et al.  Wavelet-Based Unwanted Traffic Time Series Analysis , 2008, 2008 International Conference on Computer and Electrical Engineering.

[20]  Hiroshi Fujinoki,et al.  A Survey: Recent Advances and Future Trends in Honeypot Research , 2012 .

[21]  Michael Bailey,et al.  Shining Light on Dark Address Space , 2001 .

[22]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[23]  Kensuke Fukuda,et al.  Correlation Among Piecewise Unwanted Traffic Time Series , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[24]  Corrado Leita SGNET: a distributed infrastructure to handle zero-day exploits , 2007 .

[25]  Yong Guan,et al.  Cardinality change-based early detection of large-scale cyber-attacks , 2013, 2013 Proceedings IEEE INFOCOM.

[26]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[27]  Barry Irwin,et al.  Data classification for artificial intelligence construct training to aid in network incident identification using network telescope data , 2010, SAICSIT '10.

[28]  Mourad Debbabi,et al.  Inferring distributed reflection denial of service attacks from darknet , 2015, Comput. Commun..

[29]  Mourad Debbabi,et al.  Fingerprinting Internet DNS Amplification DDoS Activities , 2014, 2014 6th International Conference on New Technologies, Mobility and Security (NTMS).

[30]  Ian Welch,et al.  VICTORIA UNIVERSITY OF WELLINGTON , 2006 .

[31]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[32]  Andreas Terzis,et al.  On the Effectiveness of Distributed Worm Monitoring , 2005, USENIX Security Symposium.

[33]  Christian Rossow,et al.  Hell of a Handshake: Abusing TCP for Reflective Amplification DDoS Attacks , 2014, WOOT.

[34]  Zhuoqing Morley Mao,et al.  Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[35]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[36]  R. Nowak,et al.  Toward a Model for Source Addresses of Internet Background Radiation , 2006 .

[37]  George M. Mohay,et al.  Parametric Differences between a Real-world Distributed Denial-of-Service Attack and a Flash Event , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[38]  Stefan Savage,et al.  The Spread of the Sapphire/Slammer Worm , 2003 .

[39]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[40]  Jun Bi,et al.  Study on Classification and Characteristics of Source Address Spoofing Attacks in the Internet , 2010, 2010 Ninth International Conference on Networks.

[41]  Mourad Debbabi,et al.  A systematic approach for detecting and clustering distributed cyber scanning , 2013, Comput. Networks.

[42]  John S. Heidemann,et al.  Trinocular: understanding internet reliability through adaptive probing , 2013, SIGCOMM.

[43]  Yi Lin,et al.  Preventing DDoS attacks by identifier/locator separation , 2013, IEEE Network.

[44]  Irwin Bvw A framework for the application of network telescope sensors in a global IP network , 2016 .

[45]  Hayder Radha,et al.  Detecting Malware Outbreaks Using a Statistical Model of Blackhole Traffic , 2008, 2008 IEEE International Conference on Communications.

[46]  Koji Nakao,et al.  Malware Behavior Analysis in Isolated Miniature Network for Revealing Malware's Network Activity , 2008, 2008 IEEE International Conference on Communications.

[47]  George M. Mohay,et al.  Use of IP Addresses for High Rate Flooding Attack Detection , 2010, SEC.

[48]  kc claffy,et al.  Estimating internet address space usage through passive measurements , 2013, CCRV.

[49]  Kensuke Fukuda,et al.  Estimating Speed of Scanning Activities with a Hough Transform , 2010, 2010 IEEE International Conference on Communications.

[50]  Radu State,et al.  Activity Monitoring for large honeynets and network telescopes , 2008 .

[51]  Heejo Lee,et al.  Fast detection and visualization of network attacks on parallel coordinates , 2009, Comput. Secur..

[52]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[53]  Kensuke Fukuda,et al.  Analysis of time-series correlations of packet arrivals to Darknet and their size- and location-dependencies , 2011 .

[54]  E.P. Markatos,et al.  Honey@home: A New Approach to Large-Scale Threat Monitoring , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[55]  Michael Bailey,et al.  Understanding IPv6 internet background radiation , 2013, Internet Measurement Conference.

[56]  Christian Rossow,et al.  Amplification Hell: Revisiting Network Protocols for DDoS Abuse , 2014, NDSS.

[57]  Chao Chen,et al.  Darknet-Based Inference of Internet Worm Temporal Characteristics , 2010, IEEE Transactions on Information Forensics and Security.

[58]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[59]  Jugal K. Kalita,et al.  Surveying Port Scans and Their Detection Methodologies , 2011, Comput. J..

[60]  Marc Dacier,et al.  Comparative survey of local honeypot sensors to assist network forensics , 2005, First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'05).

[61]  Victor C. Valgenti,et al.  TrustGuard: A flow-level reputation-based DDoS defense system , 2011, 2011 IEEE Consumer Communications and Networking Conference (CCNC).

[62]  Evangelos Kranakis,et al.  Tracking Darkports for Network Defense , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[63]  Mourad Debbabi,et al.  Towards a Forecasting Model for Distributed Denial of Service Activities , 2013, 2013 IEEE 12th International Symposium on Network Computing and Applications.

[64]  Krishna P. Gummadi,et al.  A measurement study of Napster and Gnutella as examples of peer-to-peer file sharing systems , 2002, CCRV.

[65]  Danny McPherson,et al.  Tracking Global Threats with the Internet Motion Sensor , 2004 .

[66]  Eduardo Feitosa,et al.  An orchestration approach for unwanted Internet traffic identification , 2012, Comput. Networks.

[67]  Mourad Debbabi,et al.  A Statistical Approach for Fingerprinting Probing Activities , 2013, 2013 International Conference on Availability, Reliability and Security.

[68]  Kensuke Fukuda,et al.  A Flow Analysis for Mining Traffic Anomalies , 2010, 2010 IEEE International Conference on Communications.

[69]  Marina Papatriantafilou,et al.  STONE: a stream-based DDoS defense framework , 2013, SAC '13.

[70]  Mourad Debbabi,et al.  Investigating the dark cyberspace: Profiling, threat-based analysis and correlation , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[71]  Donald F. Towsley,et al.  The monitoring and early detection of Internet worms , 2005, IEEE/ACM Transactions on Networking.

[72]  M. Dacier,et al.  HONEYPOT TRACES FORENSICS : THE OBSERVATION VIEW POINT MATTERS February 12 th , , 2009 .

[73]  Marc Dacier,et al.  Actionable Knowledge Discovery for Threats Intelligence Support Using a Multi-dimensional Data Mining Methodology , 2008, 2008 IEEE International Conference on Data Mining Workshops.

[74]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[75]  Marc Dacier,et al.  Assessing Cybercrime Through the Eyes of the WOMBAT , 2010, Cyber Situational Awareness.

[76]  Grenville J. Armitage,et al.  Modifying first person shooter games to perform real time network monitoring and control tasks , 2006, NetGames '06.

[77]  Barry Irwin,et al.  A network telescope perspective of the Conficker outbreak , 2012, 2012 Information Security for South Africa.

[78]  Robert S. Gray,et al.  Using sensor networks and data fusion for early detection of active worms , 2003, SPIE Defense + Commercial Sensing.

[79]  Fabien Pouget,et al.  Internet attack knowledge discovery via clusters and cliques of attack traces , 2006 .

[80]  Tal Garfinkel,et al.  Opportunistic Measurement: Extracting Insight from Spurious Traffic , 2005 .

[81]  S. Parameswaran,et al.  MCAD: Multiple connection based anomaly detection , 2008, 2008 11th IEEE Singapore International Conference on Communication Systems.

[82]  Marco Chiesa,et al.  Analysis of country-wide internet outages caused by censorship , 2011, IMC '11.

[83]  Van-Hau Pham,et al.  The Quest for Multi-headed Worms , 2008, DIMVA.

[84]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[85]  Yu Yao,et al.  Diurnal Forced Models for Worm Propagation Based on Conficker Dataset , 2011, 2011 Third International Conference on Multimedia Information Networking and Security.

[86]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[87]  Abu Bakar,et al.  A Chi-square testing-based intrusion detection Model , 2010 .

[88]  Farnam Jahanian,et al.  One size does not fit all: 10 years of applying context-aware security , 2009, 2009 IEEE Conference on Technologies for Homeland Security.

[89]  George M. Mohay,et al.  Ensemble-based DDoS detection and mitigation model , 2012, SIN '12.

[90]  Andreas Terzis,et al.  Fast and Evasive Attacks: Highlighting the Challenges Ahead , 2006, RAID.

[91]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[92]  Janne Riihijärvi,et al.  Measuring Complexity and Predictability in Networks with Multiscale Entropy Analysis , 2009, IEEE INFOCOM 2009.

[93]  Richard Mortier,et al.  The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery , 2006, NSDI.

[94]  Tomasz Andrysiak,et al.  Expansion of Matching Pursuit Methodology for Anomaly Detection in Computer Networks , 2011 .

[95]  Ping Wang,et al.  An Advanced Hybrid Peer-to-Peer Botnet , 2007, IEEE Transactions on Dependable and Secure Computing.

[96]  BiJun,et al.  Passive IP traceback , 2010 .

[97]  M. Dacier,et al.  The Leurre.com Project: Collecting Internet Threats Information Using a Worldwide Distributed Honeynet , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[98]  Jeremy T. Bradley,et al.  Observing Internet Worm and Virus Attacks with a Small Network Telescope , 2006, PASM@FM.

[99]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[100]  Ajita John,et al.  PISA: Automatic Extraction of Traffic Signatures , 2005, NETWORKING.

[101]  Marc Dacier,et al.  Addressing the attack attribution problem using knowledge discovery and multi-criteria fuzzy decision-making , 2009, CSI-KDD '09.

[102]  Yan Chen,et al.  Honeynet-based Botnet Scan Traffic Analysis , 2008, Botnet Detection.

[103]  Stephen D. Wolthusen,et al.  Topological Models and Effectiveness of Network Telescopes This thesis will look at Darknets or Internet Sinks and their ability to predict network attacks. , 2008 .

[104]  Niki Pissinou,et al.  Inferring Internet Worm Temporal Characteristics , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[105]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[106]  Christian Rossow,et al.  Exit from Hell? Reducing the Impact of Amplification DDoS Attacks , 2014, USENIX Security Symposium.

[107]  Balaraman Ravindran,et al.  Adaptive network intrusion detection system using a hybrid approach , 2012, 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012).

[108]  Xenofontas A. Dimitropoulos,et al.  Classifying internet one-way traffic , 2012, Internet Measurement Conference.

[109]  Donald F. Towsley,et al.  Monitoring and early warning for internet worms , 2003, CCS '03.

[110]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[111]  Nan Jiang,et al.  Greystar : Fast and Accurate Detection of SMS Spam Numbers in Large Cellular Networks using Grey Phone Space , 2013 .

[112]  Mourad Debbabi,et al.  On the inference and prediction of DDoS campaigns , 2015, Wirel. Commun. Mob. Comput..

[113]  Wang Yang,et al.  Disclosing the Element Distribution of Bloom Filter , 2006, International Conference on Computational Science.

[114]  Michael Bailey,et al.  Censorship and Co-option of the Internet Infrastructure , 2011 .

[115]  Zhen Liu,et al.  A Novel Method of Filtering Internet Background Radiation Traffic , 2013, 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies.

[116]  Michael Bailey,et al.  Taming the 800 Pound Gorilla: The Rise and Decline of NTP DDoS Attacks , 2014, Internet Measurement Conference.

[117]  Vipin Kumar,et al.  Gray's anatomy: dissecting scanning activities using IP gray space analysis , 2007 .

[118]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[119]  Tomasz Andrysiak,et al.  DDoS Attacks Detection by Means of Greedy Algorithms , 2012, IP&C.

[120]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[121]  Barry Irwin,et al.  Using InetVis to Evaluate Snort and Bro Scan Detection on a Network Telescope , 2007, VizSEC.

[122]  Abbas Hijazi,et al.  A TCP delay-based mechanism for detecting congestion in the Internet , 2013, 2013 Third International Conference on Communications and Information Technology (ICCIT).

[123]  Stefano Zanero,et al.  Observing the Tidal Waves of Malware: Experiences from the WOMBAT Project , 2010, 2010 Second Vaagdevi International Conference on Information Technology for Real World Problems.

[124]  Guofei Gu,et al.  Misleading and defeating importance-scanning malware propagation , 2007, 2007 Third International Conference on Security and Privacy in Communications Networks and the Workshops - SecureComm 2007.

[125]  Lucas Parry L3DGEWorld 2.3 Input & Output Specifications , 2007 .

[126]  Kensuke Fukuda,et al.  Analysis of Spoofed IP Traffic Using Time-to-Live and Identification Fields in IP Headers , 2011, 2011 IEEE Workshops of International Conference on Advanced Information Networking and Applications.

[127]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[128]  Zhuoqing Morley Mao,et al.  Characterizing Dark DNS Behavior , 2007, DIMVA.

[129]  Andreas Terzis,et al.  Worm evolution tracking via timing analysis , 2005, WORM '05.

[130]  M. Van Horenbeeck The SANS Internet Storm Center , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[131]  Farnam Jahanian,et al.  Resource-aware multi-format network security data storage , 2006, LSAD '06.

[132]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[133]  S. Selvakumar,et al.  Detection of distributed denial of service attacks using an ensemble of adaptive and hybrid neuro-fuzzy systems , 2013, Comput. Commun..

[134]  Van-Hau Pham,et al.  HONEYNETS: FOUNDATIONS FOR THE DEVELOPMENT OF EARLY WARNING INFORMATION SYSTEMS , 2005 .

[135]  George M. Mohay,et al.  A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic , 2008, 2008 IFIP International Conference on Network and Parallel Computing.

[136]  Grenville J. Armitage,et al.  Real-time collaborative network monitoring and control using 3D game engines for representation and interaction , 2006, VizSEC '06.

[137]  Grenville J. Armitage,et al.  Defining and Evaluating Greynets (Sparse Darknets) , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[138]  Thorsten Holz,et al.  A Pointillist Approach for Comparing Honeypots , 2005, DIMVA.

[139]  Athanasios V. Vasilakos,et al.  DTRAB: Combating Against Attacks on Encrypted Protocols Through Traffic-Feature Analysis , 2010, IEEE/ACM Transactions on Networking.

[140]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[141]  Barry Irwin,et al.  Real-time distributed malicious traffic monitoring for honeypots and network telescopes , 2013, 2013 Information Security for South Africa.

[142]  D. Inoue,et al.  nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[143]  Farnam Jahanian,et al.  Worm Hotspots: Explaining Non-Uniformity in Worm Targeting Behavior , 2004 .

[144]  Koji Nakao,et al.  DAEDALUS: Novel Application of Large-Scale Darknet Monitoring for Practical Protection of Live Networks , 2009, RAID.

[145]  Keith W. Ross,et al.  BitTorrent Darknets , 2010, 2010 Proceedings IEEE INFOCOM.

[146]  Andrew Clark,et al.  Effective Change Detection in Large Repositories of Unsolicited Traffic , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[147]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[148]  Alberto Dainotti,et al.  Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet , 2012, CCRV.

[149]  Chuang Lin,et al.  AntiWorm NPU-based Parallel Bloom Filters for TCP/IP Content Processing in Giga-Ethernet LAN , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[150]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[151]  Marcelo Bagnulo,et al.  Internet Engineering Task Force (ietf) Stateful Nat64: Network Address and Protocol Translation from Ipv6 Clients to Ipv4 Servers , 2011 .

[152]  Koji Nakao,et al.  An Incident Analysis System NICTER and Its Analysis Engines Based on Data Mining Techniques , 2008, ICONIP.

[153]  Zhi-Li Zhang,et al.  Identifying and tracking suspicious activities through IP gray space analysis , 2007, MineNet '07.

[154]  Christopher Krügel,et al.  Identifying Dormant Functionality in Malware Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[155]  J. Riordan,et al.  Building and deploying Billy Goat , a Worm-Detection System , 2006 .

[156]  Charles Doyle,et al.  Cybercrime: An Overview of the Federal Computer Fraud and Abuse Statute and Related Federal Criminal Laws , 2010 .

[157]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[158]  Alberto Dainotti,et al.  Gaining insight into AS-level outages through analysis of Internet Background Radiation , 2013, INFOCOM Workshops.

[159]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[160]  Thorsten Holz Learning More About Attack Patterns With Honeypots , 2006, Sicherheit.

[161]  Stéphane Mallat,et al.  Matching pursuits with time-frequency dictionaries , 1993, IEEE Trans. Signal Process..

[162]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[163]  Steven D. Gribble,et al.  The limits of global scanning worm detectors in the presence of background noise , 2005, WORM '05.

[164]  Cliff Joslyn,et al.  Massive scale cyber traffic analysis: a driver for graph database research , 2013, GRADES.

[165]  Pele Li,et al.  A survey of internet worm detection and containment , 2008, IEEE Communications Surveys & Tutorials.

[166]  James Won-Ki Hong,et al.  Traffic dispersion graph based anomaly detection , 2011, SoICT.

[167]  Barry Irwin A baseline study of potentially malicious activity across five network telescopes , 2013, 2013 5th International Conference on Cyber Conflict (CYCON 2013).

[168]  Mukesh K. Mohania,et al.  Ratio threshold queries over distributed data sources , 2010, ICDE.

[169]  Paul England,et al.  The Darknet and the Future of Content Distribution , 2003 .

[170]  G. Conti,et al.  Real-time and forensic network data analysis using animated and coordinated visualization , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[171]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[172]  Radu State,et al.  Tracking global wide configuration errors , 2006 .

[173]  Alberto Dainotti,et al.  Analysis of internet-wide probing using darknets , 2012, BADGERS '12.

[174]  Niels Provos,et al.  A Hybrid Honeypot Architecture for Scalable Network Monitoring , 2004 .

[175]  Balachander Krishnamurthy,et al.  Mohonk: mobile honeypots to trace unwanted traffic early , 2004, NetT '04.

[176]  Koji Nakao,et al.  nicter: a large-scale network incident analysis system: case studies for understanding threat landscape , 2011, BADGERS '11.

[177]  Alastair Nottingham,et al.  Towards a GPU accelerated virtual machine for massively parallel packet classification and filtering , 2013, SAICSIT '13.

[178]  Kensuke Fukuda,et al.  A visualization tool for exploring multi-scale network traffic anomalies , 2009, 2009 International Symposium on Performance Evaluation of Computer & Telecommunication Systems.

[179]  Matti A. Hiltunen,et al.  On the Comparison of Network Attack Datasets: An Empirical Analysis , 2008, 2008 11th IEEE High Assurance Systems Engineering Symposium.

[180]  Barry Irwin,et al.  InetVis, a visual tool for network telescope traffic analysis , 2006, AFRIGRAPH '06.

[181]  Janne Riihijärvi,et al.  Metrics for characterizing complexity of network traffic , 2008, 2008 International Conference on Telecommunications.

[182]  Farouk Kamoun,et al.  DDoS flooding attack detection scheme based on F-divergence , 2012, Comput. Commun..

[183]  M. Ford,et al.  Initial Results from an IPv6 Darknet13 , 2006, International Conference on Internet Surveillance and Protection (ICISP’06).

[184]  Farnam Jahanian,et al.  Shedding Light on the Configuration of Dark Addresses , 2007, NDSS.

[185]  Abhishek Kumar,et al.  Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event , 2005, Internet Measurement Conference.

[186]  Kimberly C. Claffy,et al.  Workshop report: darkspace and unsolicited traffic analysis (DUST 2012) , 2012, CCRV.

[187]  Ian Welch,et al.  Internet Sensor Grid: Experiences with Passive and Active Instruments , 2010, WCITD/NF.

[188]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[189]  Bruce Christianson,et al.  An Enhanced Fuzzy ARM Approach for Intrusion Detection , 2011, Int. J. Digit. Crime Forensics.

[190]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[191]  Zhiguang Qin,et al.  Honeypot: a supplemented active defense system for network security , 2003, Proceedings of the Fourth International Conference on Parallel and Distributed Computing, Applications and Technologies.

[192]  Koji Nakao,et al.  A Proposal of Malware Distinction Method Based on Scan Patterns Using Spectrum Analysis , 2009, ICONIP.

[193]  Farnam Jahanian,et al.  A Survey of Botnet Technology and Defenses , 2009, 2009 Cybersecurity Applications & Technology Conference for Homeland Security.

[194]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[195]  Lukasz Saganowski,et al.  Statistical and signal‐based network traffic recognition for anomaly detection , 2012, Expert Syst. J. Knowl. Eng..

[196]  Kensuke Fukuda,et al.  A PCA Analysis of Daily Unwanted Traffic , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[197]  Vinod Yegneswaran,et al.  Using Honeynets for Internet Situational Awareness , 2005 .

[198]  P. Komisarczuk,et al.  Internet background radiation arrival density and network telescope sampling strategies , 2007, 2007 Australasian Telecommunication Networks and Applications Conference.

[199]  Sang-Soo Choi,et al.  A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic , 2014, Secur. Commun. Networks.

[200]  Farouk Kamoun,et al.  Joint Entropy Analysis Model for DDoS Attack Detection , 2009, 2009 Fifth International Conference on Information Assurance and Security.

[201]  Vinod Yegneswaran,et al.  Employing Honeynets For Network Situational Awareness , 2010, Cyber Situational Awareness.