The Deployment of a Darknet on an Organization-Wide Network: An Empirical Analysis

Darknet sensors have the interesting property of collecting only suspicious traffic, including misconfiguration, backscatter and malicious traffic. The type of traffic collected highly depends on two parameters: the size and the location of the darknet sensor. The goals of this paper are to study empirically the relationship between these two parameters and to try to increase the volume of attackers detected by a given darknet sensor. Our empirical results reveal that on average, on a daily basis, 485 distinct external source IP addresses perform a TCP scan on one of the two /16 networks of our organizationpsilas network. Moreover, a given darknet sensor of 77 IP addresses deployed in the same /16 network collects on average attack traffic from 26% of these attackers.

[1]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[2]  Michael Vrable,et al.  Scalability, fidelity, and containment in the potemkin virtual honeyfarm , 2005, SOSP '05.

[3]  Felix C. Freiling,et al.  The Nepenthes Platform: An Efficient Approach to Collect Malware , 2006, RAID.

[4]  Kotagiri Ramamohanarao,et al.  A probabilistic approach to detecting network scans , 2002, NOMS 2002. IEEE/IFIP Network Operations and Management Symposium. ' Management Solutions for the New Communications World'(Cat. No.02CH37327).

[5]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[6]  Xuxian Jiang,et al.  Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[7]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[8]  Mark Gahegan,et al.  Breaking Down Dimensionality : Effective and Efficient Feature Selection for High-Dimensional Clustering , 2003 .

[9]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[10]  Danny McPherson,et al.  Tracking Global Threats with the Internet Motion Sensor , 2004 .

[11]  Robert Stone,et al.  A Snapshot of Global Internet Worm Activity , 2001 .

[12]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[13]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[14]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[15]  Salvatore J. Stolfo,et al.  Surveillance detection in high bandwidth environments , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[16]  Niels Provos,et al.  Data reduction for the scalable automated analysis of distributed darknet traffic , 2005, IMC '05.

[17]  P. Biondi,et al.  Honeypot forensics , 2004, Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, 2004..

[18]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[19]  Radu State,et al.  Tracking global wide configuration errors , 2006 .

[20]  Niels Provos,et al.  A Hybrid Honeypot Architecture for Scalable Network Monitoring , 2004 .

[21]  Biswanath Mukherjee,et al.  A network security monitor , 1990, Proceedings. 1990 IEEE Computer Society Symposium on Research in Security and Privacy.

[22]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.