Network monitoring is a primordial source of data in cyber-security since it may reveal abnormal behaviors of users or applications. Indeed, security analysts and tools like IDS (Intrusion Detection system) or SIEM (security information and event management) rely on them as a single source of information or combined with others. In this paper, we propose a visualisation method derived from the Mapper algorithm that has been developed in the field of Topological Data Analysis (TDA). The developed method and its associated tool are able to analyze a large number of IP packets in order to make malicious activities patterns easily observable by security analysts. We applied our method to darknet data, i.e. from an entire and supposed not used subnetwork in Internet and we have found that those observable patterns have been missed by Suricata, a widely used State-ofthe-Art IDS.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.