Identifying Internet background radiation traffic based on traffic source distribution

IBR (Internet Background Radiation) traffic identification is significant for malicious behavior detection. This paper presents a novel IBR traffic identification method since traditional methods depend on tough conditions, such as full bi-direction traffic or unassigned IP address space. We firstly explored the traffic source distribution of each destination IP on a traffic dataset, and found that the traffic sources of active IPs are relatively certain but that of inactive IPs are relatively uncertain. Secondly, based on this exploration results, we present a method to identify IBR traffic. It utilizes the presented metric to evaluate the certainty of traffic sources of a destination IP, so as to identify inactive IPs. Then it detects IBR traffic according to some heuristics built according to malicious traffic behavior patterns. We carried out several experiments to evaluate our method on real traffic datasets, and results show that it obtains 99% precision and 0.1% omission rate on detecting IPv4 IBR traffic. The detected IBR traffic includes the traffic that sent to assigned IPs besides unassigned IPs, which is more valuable and practical for detecting the malicious traffic in real networks.

[1]  Haiting Zhu,et al.  Extracting Internet Background Radiation from raw traffic using greynet , 2012, 2012 18th IEEE International Conference on Networks (ICON).

[2]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[3]  Alberto Dainotti,et al.  Gaining insight into AS-level outages through analysis of Internet background radiation , 2012, 2013 Proceedings IEEE INFOCOM.

[4]  Jan Vykopal,et al.  Similarity as a central approach to flow‐based anomaly detection , 2014, Int. J. Netw. Manag..

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[7]  Zhen Liu,et al.  A Novel Method of Filtering Internet Background Radiation Traffic , 2013, 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies.

[8]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[9]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[10]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[11]  Alberto Dainotti,et al.  Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet , 2012, CCRV.

[12]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[13]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[14]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[15]  ZhangZhi-Li,et al.  Profiling internet backbone traffic , 2005 .

[16]  Shanchieh Jay Yang,et al.  Segmenting Large-Scale Cyber Attacks for Online Behavior Model Generation , 2014, SBP.

[17]  Tanja Zseby,et al.  Entropy-Based Characterization of Internet Background Radiation , 2014, Entropy.

[18]  Zhi-Li Zhang,et al.  Profiling internet backbone traffic: behavior models and applications , 2005, SIGCOMM '05.

[19]  Kimberly C. Claffy,et al.  Nightlights: Entropy-Based Metrics for Classifying Darkspace Traffic Patterns , 2014, PAM.

[20]  Michael Bailey,et al.  Understanding IPv6 internet background radiation , 2013, Internet Measurement Conference.

[21]  Xenofontas A. Dimitropoulos,et al.  Classifying internet one-way traffic , 2012, Internet Measurement Conference.

[22]  Kuai Xu,et al.  Internet Traffic Behavior Profiling for Network Security Monitoring , 2008, IEEE/ACM Transactions on Networking.

[23]  Andrei M. Sukhov,et al.  Active flows in diagnostic of troubleshooting on backbone links , 2011, J. High Speed Networks.

[24]  Tanja Zseby,et al.  Modelling IP darkspace traffic by means of clustering techniques , 2014, 2014 IEEE Conference on Communications and Network Security.

[25]  Grenville J. Armitage,et al.  Defining and Evaluating Greynets (Sparse Darknets) , 2005, The IEEE Conference on Local Computer Networks 30th Anniversary (LCN'05)l.

[26]  George Bebis,et al.  A survey of network flow applications , 2013, J. Netw. Comput. Appl..