A Classification Method of Darknet Traffic for Advanced Security Monitoring and Response
Most organizations or CERTs deploy and operate Intrusion Detection Systems (IDSs) to carry out the security monitoring and response service. Although IDSs can contribute for defending our information property and crucial systems, they have a fatal drawback in that they are able to detect only known attacks that were matched to the predefined signatures. In our previous work, we proposed a security monitoring and response framework based on not only IDS alerts, but also darknet traffic. The proposed framework regards all incoming darknet packets that were not detected by IDSs as unknown attacks. In our further analysis, we recognized that not all of darknet traffic is related to the real attacks. In this paper, we propose an advanced classification method of darknet packets to effectively identify whether they were caused by the real attacks or not. With the proposed method, the security analyst can ignore the darknet packets that were not related to the real attacks. In fact, the experimental results show that it succeeded in removing 23.45% of unsuspicious darknet packets.
KeywordsSecurity Monitoring and Response IDS alerts Darknet Classification Method
Unable to display preview. Download preview PDF.
- 1.Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering SE–13, 222–232 (1987)Google Scholar
- 4.Humphrey, W.N., Luo, J.: Using alert cluster to reduce IDS alerts. In: ICCIT 2010, pp. 467–471. IEEE (2010)Google Scholar
- 5.Choi, S.S., Kim, S.H., Park, H.S.: An advanced security monitoring and response framework using darknet traffic. In: 2012 International Workshop on Information & Security, pp. 9–10 (2012)Google Scholar
- 6.Choi, S.S., Song, J.S., Park, H.S., Choi, J.K.: An advanced incident response framework based on suspicious traffic. The Journal of Future Game Technology 2(2), 171–176 (2012)Google Scholar
- 7.Choi, S.S., Kim, S.H., Park, H.S.: A fusion framework of IDS alerts and darknet traffic for effective incident monitoring and response. Applied Mathematics & Information Sciences (2013)Google Scholar
- 8.Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes, technical report. CAIDA (April 2004)Google Scholar
- 9.Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: 2006 40th Annual Conference on Information Sciences and Systems, pp. 1496–1501. IEEE (2007)Google Scholar
- 11.Eto, M., Inoue, D., Song, J., Junji, N., Kazuhiro, O., Nakao, K.: Nicter: A large-scale network incident analysis system. In: Workshop on Development of Large Scale Security-Related Data Collection and Analysis Initiatives (BADGERS 2011), pp. 37–45. ACM, Salzburg (2011)Google Scholar