Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.

[1]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[2]  K. Limthong,et al.  Wavelet-Based Unwanted Traffic Time Series Analysis , 2008, 2008 International Conference on Computer and Electrical Engineering.

[3]  Radu State,et al.  Tracking global wide configuration errors , 2006 .

[4]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[5]  James Won-Ki Hong,et al.  A flow-based method for abnormal network traffic detection , 2004, 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507).

[6]  Andrew Clark,et al.  Effective Change Detection in Large Repositories of Unsolicited Traffic , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[7]  Kensuke Fukuda,et al.  A Flow Analysis for Mining Traffic Anomalies , 2010, 2010 IEEE International Conference on Communications.

[8]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[9]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[10]  Michel Cukier,et al.  An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[11]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[12]  Jeremy T. Bradley,et al.  Observing Internet Worm and Virus Attacks with a Small Network Telescope , 2006, PASM@FM.

[13]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[14]  Pavol Partila,et al.  Automatic analysis of attack data from distributed honeypot network , 2013, Defense, Security, and Sensing.

[15]  Barry Irwin A baseline study of potentially malicious activity across five network telescopes , 2013, 2013 5th International Conference on Cyber Conflict (CYCON 2013).

[16]  Abhishek Kumar,et al.  Exploiting Underlying Structure for Detailed Reconstruction of an Internet-scale Event , 2005, Internet Measurement Conference.

[17]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[18]  Claudio Narduzzi,et al.  Detection of Anomalous Behaviors in Networks from Traffic Measurements , 2006, 2006 IEEE Instrumentation and Measurement Technology Conference Proceedings.