Abstract In this paper, we report an interesting observation of the darknet traffic before the source code of IoT malware Mirai was first opened on September 7th 2016. In our darknet analysis, the frequent pattern mining and the association rule learning were performed to a large set of TCP SYN packets collected from July 1st 2016 to September 15th 2016 with the NICT/16 darknet sensor. The number of collected packets is 1,840,973,403 packets in total which were sent from 17,928,006 unique hosts. In this study, we focus on the frequently appeared combinations of “window sizes” in TCP headers. We successfully extracted a certain number of frequent patters and association rules on window sizes, and we specified source hosts that sent out SYN packets matched with either of the extracted rules. In addition, we show that almost all such hosts sent SYN packets satisfying the three conditions known from the source code of Mirai. Such hosts started their scan activities from August 2nd 2016, and ended on September 4th 2016 (i.e., 3 days before the source code was opened).
[1]
Daisuke Inoue,et al.
The Carna Botnet Through the Lens of a Network Telescope
,
2013,
FPS.
[2]
Jian Pei,et al.
Mining Frequent Patterns without Candidate Generation: A Frequent-Pattern Tree Approach
,
2006,
Sixth IEEE International Conference on Data Mining - Workshops (ICDMW'06).
[3]
Christian Borgelt,et al.
Frequent item set mining
,
2012,
WIREs Data Mining Knowl. Discov..
[4]
Jian Pei,et al.
Mining frequent patterns without candidate generation
,
2000,
SIGMOD 2000.
[5]
Tomasz Imielinski,et al.
Mining association rules between sets of items in large databases
,
1993,
SIGMOD Conference.