Behavior Based Darknet Traffic Decomposition for Malicious Events Identification

This paper proposes a host (corresponding to a source IP) behavior based traffic decomposition approach to identify groups of malicious events from massive historical darknet traffic. In our approach, we segmented and extracted traffic flows from captured darknet data, and categorized flows according to a set of rules that summarized from host behavior observations. Finally, significant events are appraised by three criteria: (a) the activities within each group should be highly alike; (b) the activities should have enough significance in terms of scan scale; and (c) the group should be large enough. We applied the approach on a selection of twelve months darknet traffic data for malicious events detection, and the performance of the proposed method has been evaluated.

[1]  K. Limthong,et al.  Wavelet-Based Unwanted Traffic Time Series Analysis , 2008, 2008 International Conference on Computer and Electrical Engineering.

[2]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[3]  Claudio Narduzzi,et al.  Detection of Anomalous Behaviors in Networks from Traffic Measurements , 2006, 2006 IEEE Instrumentation and Measurement Technology Conference Proceedings.

[4]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[5]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[6]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[7]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[8]  Abhishek Kumar,et al.  Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event , 2005, Internet Measurement Conference.

[9]  Jeremy T. Bradley,et al.  Observing Internet Worm and Virus Attacks with a Small Network Telescope , 2006, PASM@FM.

[10]  Andrew Clark,et al.  Effective Change Detection in Large Repositories of Unsolicited Traffic , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[11]  Weiren Shi,et al.  A supervised manifold learning method , 2009, Comput. Sci. Inf. Syst..

[12]  Kensuke Fukuda,et al.  A Flow Analysis for Mining Traffic Anomalies , 2010, 2010 IEEE International Conference on Communications.

[13]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[14]  Radu State,et al.  Tracking global wide configuration errors , 2006 .