Investigating the dark cyberspace: Profiling, threat-based analysis and correlation

An effective approach to gather cyber threat intelligence is to collect and analyze traffic destined to unused Internet addresses known as darknets. In this paper, we elaborate on such capability by profiling darknet data. Such information could generate indicators of cyber threat activity as well as providing in-depth understanding of the nature of its traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo-locate its source countries. We further investigate darknet-triggered threats. The aim is to explore darknet embedded threats and categorize their severities. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate clusters of threats that co-occur targeting a specific victim. Such work proves that specific darknet threats are correlated. Moreover, it provides insights about threat patterns and allows the interpretation of threat scenarios.

[1]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[2]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[3]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[4]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[7]  Kensuke Fukuda,et al.  Correlation Among Piecewise Unwanted Traffic Time Series , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[8]  Ashley Thomas,et al.  RAPID: Reputation based approach for improving intrusion detection effectiveness , 2010, 2010 Sixth International Conference on Information Assurance and Security.

[9]  Harry Eugene Stanley,et al.  Dynamics of temporal correlation in daily Internet traffic , 2003, GLOBECOM '03. IEEE Global Telecommunications Conference (IEEE Cat. No.03CH37489).

[10]  Soon Myoung Chung,et al.  Efficient mining of association rules in text databases , 1999, CIKM '99.

[11]  Mohammed J. Zaki Scalable Algorithms for Association Mining , 2000, IEEE Trans. Knowl. Data Eng..

[12]  Ian H. Witten,et al.  Data mining: practical machine learning tools and techniques, 3rd Edition , 1999 .

[13]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[14]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[15]  Jian Pei,et al.  Mining frequent patterns by pattern-growth: methodology and implications , 2000, SKDD.

[16]  อนิรุธ สืบสิงห์,et al.  Data Mining Practical Machine Learning Tools and Techniques , 2014 .

[17]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[18]  Stephen Hinde The law, cybercrime, risk assessment and cyber protection , 2003, Comput. Secur..

[19]  Dorgham Sisalem,et al.  Denial of service attacks targeting a SIP VoIP infrastructure: attack scenarios and prevention mechanisms , 2006, IEEE Network.

[20]  Tomasz Imielinski,et al.  Mining association rules between sets of items in large databases , 1993, SIGMOD Conference.