Advertisement

A Classification Method of Darknet Traffic for Advanced Security Monitoring and Response

  • Sangjun Ko
  • Kyuil Kim
  • Younsu Lee
  • Jungsuk Song
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8836)

Abstract

Most organizations or CERTs deploy and operate Intrusion Detection Systems (IDSs) to carry out the security monitoring and response service. Although IDSs can contribute for defending our information property and crucial systems, they have a fatal drawback in that they are able to detect only known attacks that were matched to the predefined signatures. In our previous work, we proposed a security monitoring and response framework based on not only IDS alerts, but also darknet traffic. The proposed framework regards all incoming darknet packets that were not detected by IDSs as unknown attacks. In our further analysis, we recognized that not all of darknet traffic is related to the real attacks. In this paper, we propose an advanced classification method of darknet packets to effectively identify whether they were caused by the real attacks or not. With the proposed method, the security analyst can ignore the darknet packets that were not related to the real attacks. In fact, the experimental results show that it succeeded in removing 23.45% of unsuspicious darknet packets.

Keywords

Security Monitoring and Response IDS alerts Darknet Classification Method 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering SE–13, 222–232 (1987)Google Scholar
  2. 2.
    Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)CrossRefGoogle Scholar
  3. 3.
    Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks 34(4), 571–577 (2000)CrossRefGoogle Scholar
  4. 4.
    Humphrey, W.N., Luo, J.: Using alert cluster to reduce IDS alerts. In: ICCIT 2010, pp. 467–471. IEEE (2010)Google Scholar
  5. 5.
    Choi, S.S., Kim, S.H., Park, H.S.: An advanced security monitoring and response framework using darknet traffic. In: 2012 International Workshop on Information & Security, pp. 9–10 (2012)Google Scholar
  6. 6.
    Choi, S.S., Song, J.S., Park, H.S., Choi, J.K.: An advanced incident response framework based on suspicious traffic. The Journal of Future Game Technology 2(2), 171–176 (2012)Google Scholar
  7. 7.
    Choi, S.S., Kim, S.H., Park, H.S.: A fusion framework of IDS alerts and darknet traffic for effective incident monitoring and response. Applied Mathematics & Information Sciences (2013)Google Scholar
  8. 8.
    Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes, technical report. CAIDA (April 2004)Google Scholar
  9. 9.
    Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: 2006 40th Annual Conference on Information Sciences and Systems, pp. 1496–1501. IEEE (2007)Google Scholar
  10. 10.
    Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring. IEICE Transactions on Information and Systems 92(5), 787–798 (2009)CrossRefGoogle Scholar
  11. 11.
    Eto, M., Inoue, D., Song, J., Junji, N., Kazuhiro, O., Nakao, K.: Nicter: A large-scale network incident analysis system. In: Workshop on Development of Large Scale Security-Related Data Collection and Analysis Initiatives (BADGERS 2011), pp. 37–45. ACM, Salzburg (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  • Sangjun Ko
    • 1
    • 2
  • Kyuil Kim
    • 1
  • Younsu Lee
    • 1
  • Jungsuk Song
    • 1
    • 2
  1. 1.Korea Institute of Science and Technology InformationDaejeonKorea
  2. 2.Korea University of Science and TechnologyDaejeonKorea

Personalised recommendations