Abstract
This paper proposes a host (corresponding to a source IP) behavior based traffic decomposition approach to identify groups of malicious events from massive historical darknet traffic. In our approach, we segmented and extracted traffic flows from captured darknet data, and categorized flows according to a set of rules that summarized from host behavior observations. Finally, significant events are appraised by three criteria: (a) the activities within each group should be highly alike; (b) the activities should have enough significance in terms of scan scale; and (c) the group should be large enough. We applied the approach on a selection of twelve months darknet traffic data for malicious events detection, and the performance of the proposed method has been evaluated.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring Internet denial-of-service activity. ACM Trans. Comput. Syst. 24, 115–139 (2006)
Cooke, E., Jahanian, F., McPherson, D.: The zombie roundup: understanding, detecting, and disrupting botnets. Networks 7, 39–44 (2005)
Kumar, A., Paxson, V., Weaver, N.: Exploiting underlying structure for detailed reconstruction of an internet-scale event. In: Proceedings of the 5th ACM SIGCOMM Conference on Internet Measurement - IMC 2005, p. 1 (2005)
Harder, U., Johnson, M.W., Bradley, J.T., Knottenbelt, W.J.: Observing internet worm and virus attacks with a small network telescope. Electron. Notes Theoret. Comput. Sci. 151(3), 47–59 (2006)
Staniford, S., Moore, D., Paxson, V., Weaver, N.: The top speed of flash worms. In: WORM 2004 - Proceedings of the 2004 ACM Workshop on Rapid Malcode, pp. 33–42 (2004)
Li, Z., Shi, W., Shi, X., Zhong, Z.: A supervised manifold learning method. Comput. Sci. Inf. Syst. 6(2), 205–215 (2009)
Francois, J., Festor, O., et al.: Tracking global wide configuration errors. In: IEEE/IST Workshop on Monitoring, Attack Detection and Mitigation (2006)
Panjwani, S., Tan, S., Jarrin, K.M., Cukier, M.: An experimental evaluation to determine if port scans are precursors to an attack. In: Proceedings of the International Conference on Dependable Systems and Networks, pp. 602–611 (2005)
Limthong, K., Kensuke, F., Watanapongse, P.: Wavelet-based unwanted traffic time series analysis. In: Proceedings of the 2008 International Conference on Computer and Electrical Engineering, ICCEE 2008, pp. 445–449 (2008)
Ahmed, E., Clark, A., Mohay, G.: Effective change detection in large repositories of unsolicited traffic. In: Fourth International Conference on Internet Monitoring and Protection, ICIMP 2009, pp. 1–6. IEEE (2009)
Jung, J., Paxson, V., Berger, A.W., Balakrishnan, H.: Fast portscan detection using sequential hypothesis testing. In: Proceedings of the 2004 IEEE Symposium on Security and Privacy, pp. 211–225. IEEE (2004)
Giorgi, G., Narduzzi, C.: Detection of anomalous behaviors in networks from traffic measurements. IEEE Trans. Instrum. Measur. 12(57), 2782–2791 (2008)
Kanda, Y., Fukuda, K., Sugawara, T.: A flow analysis for mining traffic anomalies. In: 2010 IEEE International Conference on Communications (ICC), pp. 1–5. IEEE (2010)
Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.: A flow-based method for abnormal network traffic detection. In: 2004 IEEE/IFIP Network Operations and Management Symposium (IEEE Cat. No.04CH37507), vol. 1 (2004)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhang, R., Zhu, L., Li, X., Pang, S., Sarrafzadeh, A., Komosny, D. (2015). Behavior Based Darknet Traffic Decomposition for Malicious Events Identification. In: Arik, S., Huang, T., Lai, W., Liu, Q. (eds) Neural Information Processing. ICONIP 2015. Lecture Notes in Computer Science(), vol 9491. Springer, Cham. https://doi.org/10.1007/978-3-319-26555-1_29
Download citation
DOI: https://doi.org/10.1007/978-3-319-26555-1_29
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-26554-4
Online ISBN: 978-3-319-26555-1
eBook Packages: Computer ScienceComputer Science (R0)