Skip to main content

Collaborative Behavior Visualization and Its Detection by Observing Darknet Traffic

  • Conference paper

Part of the Lecture Notes in Computer Science book series (LNSC,volume 7672)

Abstract

Recently, we have a problem about an attack generated by a botnet which consists of a group of compromised computers called bots. An attacker called botmaster controls it and a botnet invokes an attack such as scanning and DDoS attack. In this paper, we use the 3D-visualization to investigate the change of attack according to the darknet traffic. As a result, we discover the attack in which several source IP addresses transmit packets to a single destination within a short period of time. In addition, we find that the packet size and the destination port number are identical on its attack. Furthermore, we propose the method to detect this attack called behavior of collaborative attack. In our proposal, we focus on the number of source IP addresses which transmit packets to the single destination. We detected this packet and the rate of packet with the same packet size and destination port number occupied about 90% of the set unit of extracted packet.

Keywords

  • darknet
  • collaborative behavior
  • botnet
  • 3D-visualization
  • cybersecurity

This work was partially supported by Proactive Response Against Cyber-attacks Through International Collaborative Exchange (PRACTICE), Ministry of Internal Affairs and Communications, Japan.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (Canada)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (Canada)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A Survey of Botnet Technology and Defenses. In: Proc. Cybersecurity Applications & Technology Conference for Homeland Security, Washington, DC, USA, pp. 299–304 (March 2009)

    Google Scholar 

  2. Mcafee Co., http://www.mcafee.com

  3. Symantec Co., http://www.symantec.com

  4. Guirguis, M., Bestavros, A., Matta, I.: On the Impact of Low-Rate Attacks. In: IEEE International Conference and Communications, vol. 5, pp. 2316–2321 (June 2006)

    Google Scholar 

  5. Treurniet, J.: A Network Activity Classification Schema and Its Application to Scan Detection. IEEE/ACM Transactions on Networking 19(5), 1396–1404 (2011)

    CrossRef  Google Scholar 

  6. Xiang, Y., Li, K., Zhou, W.: Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics. IEEE Transactions on Information Forensics and Security 6(2), 426–437 (2011)

    CrossRef  Google Scholar 

  7. Kim, M.-S., Kang, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A Flow-based Method for Abnormal Network Traffic Detection. In: IEEE/IFIP Network Operations and Management Symposium 2004 (2004)

    Google Scholar 

  8. Eto, M., Inoue, D., Song, J., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: A Large-Scale Network Incident Analysis System. In: Proc. First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 37–45 (2011)

    Google Scholar 

  9. Kanlayasiri, U., Sanguanpong, S., Jaratmanachot, W.: A Rule-based Approach for Port Scanning Detection. In: Proc. 23rd Electrical Engineering Conference, Thailand, pp. 148–153 (2000)

    Google Scholar 

  10. Needham, R.M.: Denial of Service. In: Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 151–153 (November 1993)

    Google Scholar 

  11. Moore, D., Shannon, C., Brown, D., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems 24(2), 115–139 (2006)

    CrossRef  Google Scholar 

  12. Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward Understanding Distributed Blackhole Placement. In: Proc. ACM CCS Workshop on Rapid Malcode, pp. 54–64. ACM Press (October 2004)

    Google Scholar 

  13. Feily, M., Shahrestani, A.: A Survey of Botnet and Botnet Detection. In: Proc. Third International Conference on Emerging Security Information, Systems and Technologies (June 2009)

    Google Scholar 

  14. Choi, H., Lee, H., Lee, H., Kim, H.: Botnet Detection by Monitoring Group Activities in DNS Traffic. In: Proc. 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)

    Google Scholar 

  15. Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–42 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and Permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Akimoto, S., Hori, Y., Sakurai, K. (2012). Collaborative Behavior Visualization and Its Detection by Observing Darknet Traffic. In: Xiang, Y., Lopez, J., Kuo, CC.J., Zhou, W. (eds) Cyberspace Safety and Security. CSS 2012. Lecture Notes in Computer Science, vol 7672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35362-8_17

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-35362-8_17

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-35361-1

  • Online ISBN: 978-3-642-35362-8

  • eBook Packages: Computer ScienceComputer Science (R0)