Collaborative Behavior Visualization and Its Detection by Observing Darknet Traffic

  • Satoru Akimoto
  • Yoshiaki Hori
  • Kouichi Sakurai
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7672)


Recently, we have a problem about an attack generated by a botnet which consists of a group of compromised computers called bots. An attacker called botmaster controls it and a botnet invokes an attack such as scanning and DDoS attack. In this paper, we use the 3D-visualization to investigate the change of attack according to the darknet traffic. As a result, we discover the attack in which several source IP addresses transmit packets to a single destination within a short period of time. In addition, we find that the packet size and the destination port number are identical on its attack. Furthermore, we propose the method to detect this attack called behavior of collaborative attack. In our proposal, we focus on the number of source IP addresses which transmit packets to the single destination. We detected this packet and the rate of packet with the same packet size and destination port number occupied about 90% of the set unit of extracted packet.


darknet collaborative behavior botnet 3D-visualization cybersecurity 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. [1]
    Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A Survey of Botnet Technology and Defenses. In: Proc. Cybersecurity Applications & Technology Conference for Homeland Security, Washington, DC, USA, pp. 299–304 (March 2009)Google Scholar
  2. [2]
  3. [3]
  4. [4]
    Guirguis, M., Bestavros, A., Matta, I.: On the Impact of Low-Rate Attacks. In: IEEE International Conference and Communications, vol. 5, pp. 2316–2321 (June 2006)Google Scholar
  5. [5]
    Treurniet, J.: A Network Activity Classification Schema and Its Application to Scan Detection. IEEE/ACM Transactions on Networking 19(5), 1396–1404 (2011)CrossRefGoogle Scholar
  6. [6]
    Xiang, Y., Li, K., Zhou, W.: Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics. IEEE Transactions on Information Forensics and Security 6(2), 426–437 (2011)CrossRefGoogle Scholar
  7. [7]
    Kim, M.-S., Kang, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A Flow-based Method for Abnormal Network Traffic Detection. In: IEEE/IFIP Network Operations and Management Symposium 2004 (2004)Google Scholar
  8. [8]
    Eto, M., Inoue, D., Song, J., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: A Large-Scale Network Incident Analysis System. In: Proc. First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 37–45 (2011)Google Scholar
  9. [9]
    Kanlayasiri, U., Sanguanpong, S., Jaratmanachot, W.: A Rule-based Approach for Port Scanning Detection. In: Proc. 23rd Electrical Engineering Conference, Thailand, pp. 148–153 (2000)Google Scholar
  10. [10]
    Needham, R.M.: Denial of Service. In: Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 151–153 (November 1993)Google Scholar
  11. [11]
    Moore, D., Shannon, C., Brown, D., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems 24(2), 115–139 (2006)CrossRefGoogle Scholar
  12. [12]
    Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward Understanding Distributed Blackhole Placement. In: Proc. ACM CCS Workshop on Rapid Malcode, pp. 54–64. ACM Press (October 2004)Google Scholar
  13. [13]
    Feily, M., Shahrestani, A.: A Survey of Botnet and Botnet Detection. In: Proc. Third International Conference on Emerging Security Information, Systems and Technologies (June 2009)Google Scholar
  14. [14]
    Choi, H., Lee, H., Lee, H., Kim, H.: Botnet Detection by Monitoring Group Activities in DNS Traffic. In: Proc. 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)Google Scholar
  15. [15]
    Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–42 (2006)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Satoru Akimoto
    • 1
    • 2
  • Yoshiaki Hori
    • 1
    • 2
  • Kouichi Sakurai
    • 1
    • 2
  1. 1.Graduate School of Information Science and Electrical EngineeringKyushu UniversityFukuokaJapan
  2. 2.Institute of Systems, Information Technologies and NanotechnologiesFukuokaJapan

Personalised recommendations