Towards Early Detection of Novel Attack Patterns through the Lens of a Large-Scale Darknet

Darknet monitoring provides a cost-effective way to monitor the global trend of cyber-threats in the Internet. To make full use of the darknet traffic at hand, in this paper, we present a study on early detection of emerging novel attacks observed in the darknet. First, exploration of the regularities in the communications from attacking hosts are done by feeding all observed packets in the darknet to a frequent itemset mining engine, where the most frequently occurred attack patterns are automatically grouped together. Second, a time series which characterizes the activity level of each attack pattern is created over the observation period. Then, to extract the most prominent attack patterns, a clustering algorithm is engaged to cluster the attack patterns into groups that carry the similar activities in a long run, dimension reduction is employed to provide visual hints about their relationship. Finally, attacks featured by a recent rapid increase are picked up to be further inspected by security experts for incident handling purpose. The experiments show that the proposed scheme is effective, efficient in early detection of new attack patterns from conventional approaches.

[1]  M. Hasan Islam,et al.  Towards proactive detection of advanced persistent threat (APT) attacks using honeypots , 2015, SIN.

[2]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[3]  Takeaki Uno,et al.  Frequent Pattern Mining , 2016, Encyclopedia of Algorithms.

[4]  Jeremy T. Bradley,et al.  Observing Internet Worm and Virus Attacks with a Small Network Telescope , 2006, PASM@FM.

[5]  Ali S. Hadi,et al.  Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[6]  Christian Borgelt,et al.  Frequent item set mining , 2012, WIREs Data Mining Knowl. Discov..

[7]  Koji Nakao,et al.  An Incident Analysis System NICTER and Its Analysis Engines Based on Data Mining Techniques , 2008, ICONIP.

[8]  Alberto Dainotti,et al.  Gaining insight into AS-level outages through analysis of Internet background radiation , 2012, 2013 Proceedings IEEE INFOCOM.

[9]  Peter J. Rousseeuw,et al.  Finding Groups in Data: An Introduction to Cluster Analysis , 1990 .

[10]  Charu C. Aggarwal,et al.  An Introduction to Cluster Analysis , 2018, Data Clustering: Algorithms and Applications.

[11]  Runhe Huang,et al.  A study on association rule mining of darknet big data , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[12]  Geoffrey E. Hinton,et al.  Visualizing Data using t-SNE , 2008 .

[13]  Jian Pei,et al.  Mining frequent patterns without candidate generation , 2000, SIGMOD '00.

[14]  Charu C. Aggarwal,et al.  Frequent Pattern Mining , 2014, Springer International Publishing.

[15]  Eric Cole,et al.  Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization , 2012 .

[16]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[17]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.

[18]  Christopher Krügel,et al.  Nazca: Detecting Malware Distribution in Large-Scale Networks , 2014, NDSS.

[19]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[20]  Jiawei Han,et al.  Frequent pattern mining: current status and future directions , 2007, Data Mining and Knowledge Discovery.

[21]  Lei Zhu,et al.  Behavior Analysis of Long-term Cyber Attacks in the Darknet , 2012, ICONIP.