Skip to main content
SpringerLink
Log in

DANTE: A Framework for Mining and Monitoring Darknet Traffic

  • Conference paper
  • First Online:
Computer Security – ESORICS 2020 (ESORICS 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12308))

Included in the following conference series:

Abstract

Trillions of network packets are sent over the Internet to destinations which do not exist. This ‘darknet’ traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. To detect recurring behaviors and new emerging threats, DANTE uses a novel and incremental time-series cluster tracking algorithm on the observed sequences. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: 2006 40th Annual Conference on Information Sciences and Systems, pp. 1496–1501. IEEE (2006)

    Google Scholar 

  2. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The Internet motion sensor-a distributed blackhole monitoring system. In: NDSS (2005)

    Google Scholar 

  3. Ban, T., Eto, M., Guo, S., Inoue, D., Nakao, K., Huang, R.: A study on association rule mining of darknet big data. In: 2015 International Joint Conference on Neural Networks (IJCNN), pp. 1–7, July 2015

    Google Scholar 

  4. Ban, T., Pang, S., Eto, M., Inoue, D., Nakao, K., Huang, R.: Towards early detection of novel attack patterns through the lens of a large-scale darknet, pp. 341–349, July 2016

    Google Scholar 

  5. Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Detection of botnet activities through the lens of a large-scale darknet. In: Liu, D., Xie, S., Li, Y., Zhao, D., El-Alfy, E.-S.M. (eds.) ICONIP 2017. LNCS, vol. 10638, pp. 442–451. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70139-4_45

    Chapter  Google Scholar 

  6. Ban, T., Zhu, L., Shimamura, J., Pang, S., Inoue, D., Nakao, K.: Behavior analysis of long-term cyber attacks in the darknet. In: Huang, T., Zeng, Z., Li, C., Leung, C.S. (eds.) ICONIP 2012. LNCS, vol. 7667, pp. 620–628. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34500-5_73

    Chapter  Google Scholar 

  7. Bartos, K., Sofka, M., Franc, V.: Optimized invariant representation of network traffic for detecting unseen malware variants (2016)

    Google Scholar 

  8. Bou-Harb, E., Debbabi, M., Assi, C.: A time series approach for inferring orchestrated probing campaigns by analyzing darknet traffic. In: 2015 10th International Conference on Availability, Reliability and Security, pp. 180–185. IEEE, August 2015

    Google Scholar 

  9. Bringer, M.L., Chelmecki, C.A., Fujinoki, H.: A survey: recent advances and future trends in honeypot research. Int. J. Comput. Netw. Inf. Secur. 4(10), 63 (2012)

    Google Scholar 

  10. Cao, F., Estert, M., Qian, W., Zhou, A.: Density-based clustering over an evolving data stream with noise. In: Proceedings of the 2006 SIAM International Conference on Data Mining, pp. 328–339. SIAM (2006)

    Google Scholar 

  11. Carnein, M., Trautmann, H.: Optimizing data stream representation: an extensive survey on stream clustering algorithms. Bus. Inf. Syst. Eng. 61(3), 277–297 (2019)

    Article  Google Scholar 

  12. Casas, P., Mazel, J., Owezarski, P.: Unsupervised network intrusion detection systems: detecting the unknown without knowledge. Comput. Commun. 35, 772–783 (2012)

    Article  Google Scholar 

  13. Choi, S.S., Song, J., Kim, S., Kim, S.: A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic. Secur. Commun. Netw. 7(10), n/a (2013)

    Google Scholar 

  14. Corchado, E., Herrero, Á.: Neural visualization of network traffic data for intrusion detection. Appl. Soft Comput. J. 11, 2042–2056 (2010)

    Article  Google Scholar 

  15. Coudriau, M., Lahmadi, A., François, J.: Topological analysis and visualisation of network monitoring data: darknet case study. In: 2016 IEEE International Workshop on Information Forensics and Security (WIFS), pp. 1–6 (2016)

    Google Scholar 

  16. Durumeric, Z., Bailey, M., Halderman, J.A.: An Internet-wide view of Internet-wide scanning. In: Proceedings of the 23rd USENIX Conference on Security Symposium, SEC 2014, pp. 65–78. USENIX Association (2014)

    Google Scholar 

  17. Ester, M., Wittmann, R.: Incremental generalization for mining in a data warehousing environment. In: Schek, H.-J., Alonso, G., Saltor, F., Ramos, I. (eds.) EDBT 1998. LNCS, vol. 1377, pp. 135–149. Springer, Heidelberg (1998). https://doi.org/10.1007/BFb0100982

    Chapter  Google Scholar 

  18. Ester, M., Kriegel, H.P., Sander, J., Xu, X., et al.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: KDD, vol. 96, pp. 226–231 (1996)

    Google Scholar 

  19. Fachkha, C., Bou-Harb, E., Debbabi, M.: Inferring distributed reflection denial of service attacks from darknet. Comput. Commun. 62, 59–71 (2015)

    Article  Google Scholar 

  20. Faria, E.R., Gonçalves, I.J.C.R., de Carvalho, A.C.P.L.F., Gama, J.: Novelty detection in data streams. Artif. Intell. Rev. 45(2), 235–269 (2015). https://doi.org/10.1007/s10462-015-9444-8

    Article  Google Scholar 

  21. Guha, S., Mishra, N., Motwani, R., O’Callaghan, L.: Clustering data streams. In: Proceedings of 41st Annual Symposium on Foundations of Computer Science, 2000, pp. 359–366. IEEE (2000)

    Google Scholar 

  22. Harrop, W., Armitage, G.: Defining and evaluating Greynets (sparse darknets). In: The IEEE Conference on Local Computer Networks 30th Anniversary (LCN 2005), vol. l, pp. 344–350. IEEE (2005)

    Google Scholar 

  23. Heo, H., Shin, S.: Who is knocking on the Telnet port: a large-scale empirical study of network scanning. In: Proceedings of the 2018 on Asia Conference on Computer and Communications Security, pp. 625–636. ACM (2018)

    Google Scholar 

  24. Inoue, D., et al.: An incident analysis system NICTER and its analysis engines based on data mining techniques. In: Köppen, M., Kasabov, N., Coghill, G. (eds.) ICONIP 2008. LNCS, vol. 5506, pp. 579–586. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02490-0_71

    Chapter  Google Scholar 

  25. Kao, C.N., Chang, Y.C., Huang, N.F., Liao, I.J., Liu, R.T., Hung, H.W., et al.: A predictive zero-day network defense using long-term port-scan recording. In: 2015 IEEE Conference on Communications and Network Security (CNS), pp. 695–696. IEEE (2015)

    Google Scholar 

  26. Lagraa, S., Francois, J., Lahmadi, A., Miner, M., Hammerschmidt, C., State, R.: BotGM: unsupervised graph mining to detect botnets in traffic flows. In: 2017 1st Cyber Security in Networking Conference (CSNet), pp. 1–8. IEEE, October 2017

    Google Scholar 

  27. Liu, J., Fukuda, K.: Towards a taxonomy of darknet traffic. In: 2014 International Wireless Communications and Mobile Computing Conference (IWCMC), pp. 37–43. IEEE, August 2014

    Google Scholar 

  28. Maaten, L.V.D., Hinton, G.: Visualizing data using t-SNE. J. Mach. Learn. Res. 9(Nov), 2579–2605 (2008)

    MATH  Google Scholar 

  29. Mairh, A., Barik, D., Verma, K., Jena, D.: Honeypot in network security: a survey. In: Proceedings of the 2011 International Conference on Communication, Computing and Security, pp. 600–605. ACM (2011)

    Google Scholar 

  30. Mikolov, T., Chen, K., Corrado, G., Dean, J.: Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013)

  31. Nichols, S.: FBI warns of SIM-swap scams, IBM finds holes in visitor software, 13-year-old girl charged over Javascript prank (2019). https://www.theregister.co.uk/2019/03/09/security_roundup_080319

  32. Owezarski, P.: A Near Real-Time Algorithm for Autonomous Identification and Characterization of Honeypot Attacks. Technical report (2015). https://hal.archives-ouvertes.fr/hal-01112926

  33. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: a novel honeypot for revealing current IoT threats. J. Inf. Process. 24(3), 522–533 (2016)

    Google Scholar 

  34. Pang, S., et al.: Malicious events grouping via behavior based darknet traffic flow analysis. Wirel. Pers. Commun. 96, 5335–5353 (2017)

    Article  Google Scholar 

  35. Singhal, A., Ou, X.: Security risk analysis of enterprise networks using probabilistic attack graphs. Network Security Metrics, pp. 53–73. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66505-4_3

    Chapter  Google Scholar 

  36. Thonnard, O., Dacier, M.: A framework for attack patterns’ discovery in honeynet data. Digit. Invest. 5, S128–S139 (2008)

    Article  Google Scholar 

  37. Ullrich, J.: Port 7547 soap remote code execution attack against DSL modems (2016). https://isc.sans.edu/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Against+DSL+Modems/21759

  38. Van Horenbeeck, M.: The sans Internet storm center. In: 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp. 17–23. IEEE (2008)

    Google Scholar 

  39. Wagner, C., Dulaunoy, A., Wagener, G., Iklody, A.: MISP: the design and implementation of a collaborative threat intelligence sharing platform. In: Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security, pp. 49–56. ACM (2016)

    Google Scholar 

  40. Wieting, J., Bansal, M., Gimpel, K., Livescu, K.: Towards universal paraphrastic sentence embeddings. arXiv preprint arXiv:1511.08198 (2015)

  41. Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of the 10th ACM SIGCOMM Conference on Internet Measurement, New York (2010)

    Google Scholar 

  42. Zhang, J., Tong, Y., Qin, T.: Traffic features extraction and clustering analysis for abnormal behavior detection. In: Proceedings of the 2016 International Conference on Intelligent Information Processing - ICIIP 2016, New York (2016)

    Google Scholar 

  43. Škrjanc, I., Ozawa, S., Dovžan, D., Tao, B., Nakazato, J., Shimamura, J.: Evolving cauchy possibilistic clustering and its application to large-scale cyberattack monitoring. In: 2017 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1–7, November 2017

    Google Scholar 

Download references

Acknowledgment

This research was partially supported by the CONCORDIA project that has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement number 830927. We would like to thank Nadav Maman for his help in implementing DANTE.

Author information

Authors and Affiliations

  1. Department of Software and Information Systems Engineering, Ben-Gurion University of the Negev, Beersheba, Israel

    Dvir Cohen, Yisroel Mirsky, Yuval Elovici, Rami Puzis & Asaf Shabtai

  2. Georgia Institute of Technology, Atlanta, USA

    Yisroel Mirsky

  3. Deutsche Telekom Security GmbH, Bonn, Germany

    Manuel Kamp & Tobias Martin

Authors
  1. Dvir Cohen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yisroel Mirsky
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Manuel Kamp
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Tobias Martin
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Yuval Elovici
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Rami Puzis
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Asaf Shabtai
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dvir Cohen .

Editor information

Editors and Affiliations

  1. University of Surrey, Guildford, UK

    Liqun Chen

  2. Purdue University, West Lafayette, IN, USA

    Ninghui Li

  3. Delft University of Technology, Delft, The Netherlands

    Kaitai Liang

  4. University of Surrey, Guildford, UK

    Steve Schneider

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Cohen, D. et al. (2020). DANTE: A Framework for Mining and Monitoring Darknet Traffic. In: Chen, L., Li, N., Liang, K., Schneider, S. (eds) Computer Security – ESORICS 2020. ESORICS 2020. Lecture Notes in Computer Science(), vol 12308. Springer, Cham. https://doi.org/10.1007/978-3-030-58951-6_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-58951-6_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-58950-9

  • Online ISBN: 978-3-030-58951-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation