Abstract
Most organizations or CERTs deploy and operate Intrusion Detection Systems (IDSs) to carry out the security monitoring and response service. Although IDSs can contribute for defending our information property and crucial systems, they have a fatal drawback in that they are able to detect only known attacks that were matched to the predefined signatures. In our previous work, we proposed a security monitoring and response framework based on not only IDS alerts, but also darknet traffic. The proposed framework regards all incoming darknet packets that were not detected by IDSs as unknown attacks. In our further analysis, we recognized that not all of darknet traffic is related to the real attacks. In this paper, we propose an advanced classification method of darknet packets to effectively identify whether they were caused by the real attacks or not. With the proposed method, the security analyst can ignore the darknet packets that were not related to the real attacks. In fact, the experimental results show that it succeeded in removing 23.45% of unsuspicious darknet packets.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Denning, D.E.: An intrusion detection model. IEEE Transactions on Software Engineering SE–13, 222–232 (1987)
Julisch, K.: Clustering intrusion detection alarms to support root cause analysis. ACM Transactions on Information and System Security 6(4), 443–471 (2003)
Manganaris, S., Christensen, M., Zerkle, D., Hermiz, K.: A Data Mining Analysis of RTID Alarms. Computer Networks 34(4), 571–577 (2000)
Humphrey, W.N., Luo, J.: Using alert cluster to reduce IDS alerts. In: ICCIT 2010, pp. 467–471. IEEE (2010)
Choi, S.S., Kim, S.H., Park, H.S.: An advanced security monitoring and response framework using darknet traffic. In: 2012 International Workshop on Information & Security, pp. 9–10 (2012)
Choi, S.S., Song, J.S., Park, H.S., Choi, J.K.: An advanced incident response framework based on suspicious traffic. The Journal of Future Game Technology 2(2), 171–176 (2012)
Choi, S.S., Kim, S.H., Park, H.S.: A fusion framework of IDS alerts and darknet traffic for effective incident monitoring and response. Applied Mathematics & Information Sciences (2013)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes, technical report. CAIDA (April 2004)
Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: 2006 40th Annual Conference on Information Sciences and Systems, pp. 1496–1501. IEEE (2007)
Nakao, K., Inoue, D., Eto, M., Yoshioka, K.: Practical correlation analysis between scan and malware profiles against zero-day attacks based on darknet monitoring. IEICE Transactions on Information and Systems 92(5), 787–798 (2009)
Eto, M., Inoue, D., Song, J., Junji, N., Kazuhiro, O., Nakao, K.: Nicter: A large-scale network incident analysis system. In: Workshop on Development of Large Scale Security-Related Data Collection and Analysis Initiatives (BADGERS 2011), pp. 37–45. ACM, Salzburg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Ko, S., Kim, K., Lee, Y., Song, J. (2014). A Classification Method of Darknet Traffic for Advanced Security Monitoring and Response. In: Loo, C.K., Yap, K.S., Wong, K.W., Beng Jin, A.T., Huang, K. (eds) Neural Information Processing. ICONIP 2014. Lecture Notes in Computer Science, vol 8836. Springer, Cham. https://doi.org/10.1007/978-3-319-12643-2_44
Download citation
DOI: https://doi.org/10.1007/978-3-319-12643-2_44
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-12642-5
Online ISBN: 978-3-319-12643-2
eBook Packages: Computer ScienceComputer Science (R0)