Collaborative Behavior Visualization and Its Detection by Observing Darknet Traffic
Recently, we have a problem about an attack generated by a botnet which consists of a group of compromised computers called bots. An attacker called botmaster controls it and a botnet invokes an attack such as scanning and DDoS attack. In this paper, we use the 3D-visualization to investigate the change of attack according to the darknet traffic. As a result, we discover the attack in which several source IP addresses transmit packets to a single destination within a short period of time. In addition, we find that the packet size and the destination port number are identical on its attack. Furthermore, we propose the method to detect this attack called behavior of collaborative attack. In our proposal, we focus on the number of source IP addresses which transmit packets to the single destination. We detected this packet and the rate of packet with the same packet size and destination port number occupied about 90% of the set unit of extracted packet.
Keywordsdarknet collaborative behavior botnet 3D-visualization cybersecurity
Unable to display preview. Download preview PDF.
- Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A Survey of Botnet Technology and Defenses. In: Proc. Cybersecurity Applications & Technology Conference for Homeland Security, Washington, DC, USA, pp. 299–304 (March 2009)Google Scholar
- Mcafee Co., http://www.mcafee.com
- Symantec Co., http://www.symantec.com
- Guirguis, M., Bestavros, A., Matta, I.: On the Impact of Low-Rate Attacks. In: IEEE International Conference and Communications, vol. 5, pp. 2316–2321 (June 2006)Google Scholar
- Kim, M.-S., Kang, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A Flow-based Method for Abnormal Network Traffic Detection. In: IEEE/IFIP Network Operations and Management Symposium 2004 (2004)Google Scholar
- Eto, M., Inoue, D., Song, J., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: A Large-Scale Network Incident Analysis System. In: Proc. First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 37–45 (2011)Google Scholar
- Kanlayasiri, U., Sanguanpong, S., Jaratmanachot, W.: A Rule-based Approach for Port Scanning Detection. In: Proc. 23rd Electrical Engineering Conference, Thailand, pp. 148–153 (2000)Google Scholar
- Needham, R.M.: Denial of Service. In: Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 151–153 (November 1993)Google Scholar
- Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward Understanding Distributed Blackhole Placement. In: Proc. ACM CCS Workshop on Rapid Malcode, pp. 54–64. ACM Press (October 2004)Google Scholar
- Feily, M., Shahrestani, A.: A Survey of Botnet and Botnet Detection. In: Proc. Third International Conference on Emerging Security Information, Systems and Technologies (June 2009)Google Scholar
- Choi, H., Lee, H., Lee, H., Kim, H.: Botnet Detection by Monitoring Group Activities in DNS Traffic. In: Proc. 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)Google Scholar
- Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–42 (2006)Google Scholar