Behavior Analysis of Long-term Cyber Attacks in the Darknet

Ban, Tao; Zhu, Lei; Shimamura, Junpei; Pang, Shaoning; Inoue, Daisuke; Nakao, Koji

doi:10.1007/978-3-642-34500-5_73

Cited by 17 publications

(10 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Darknet data have been utilized to study DDoS attacks [9,10,15,42], DoS attacks and BGP blackholing [25], IPv6 routing instabilities [11], and long-term cyber attacks [4]. Application-level responses to IBR observed in Darknet have also been used to characterize Internet-wide scanning activities [33].…”

Section: Related Workmentioning

confidence: 99%

“…Thus, Darknets have been frequently used by the networking and security communities to shed light into dubious malware propagation and interminable network scanning activities [14,20,33,36,43]. They have also been used to detect cyber-threats, e.g., botnets [2], DDoS and other types of attacks [4,15,32], and to detect novel attack patterns [3].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Zooming Into the Darknet: Characterizing Internet Background Radiation and its Structural Changes

Kallitsis,

Honavar,

Prajapati

et al. 2021

Preprint

View full text Add to dashboard Cite

Network telescopes or "Darknets" provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, scanning performed for network reconnaissance, and others. Analyses of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large Darknets, however, observe millions of nefarious events on a daily basis which makes the transformation of the captured information into meaningful insights challenging. We present a novel framework for characterizing Darknet behavior and its temporal evolution aiming to address this challenge. The proposed framework:(i) Extracts a high dimensional representation of Darknet events composed of features distilled from Darknet data and other external sources; (ii) Learns, in an unsupervised fashion, an information-preserving low-dimensional representation of these events (using deep representation learning) that is amenable to clustering; (iv) Performs clustering of the scanner data in the resulting representation space and provides interpretable insights using optimal decision trees; and (v) Utilizes the clustering outcomes as "signatures" that can be used to detect structural changes in the Darknet activities. We evaluate the proposed system on a large operational Network Telescope and demonstrate its ability to detect real-world, high-impact cybersecurity incidents.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Zooming Into the Darknet: Characterizing Internet Background Radiation and its Structural Changes

Kallitsis,

Honavar,

Prajapati

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…In prior research [1], [2], [14], [7], [15], [10], [9], [16], [17], [5], [18], [19], darknet data is used to detect botnet hosts, typically by clustering and classifying the src IPs with features such as the dst port and packet size.…”

Section: A Mining Darknet Trafficmentioning

confidence: 99%

“…Previous studies have shown that packets sent to darknet IP addresses are usually the result of network probing/scanning, worm propagation, and a DDoS attacks [5], [6]. Therefore, darknet data can be used by an ISP's cyber emergency response team (CERT) to infer threat intelligence related to ongoing malicious activities or new emerging attacks [7] (see Figure 1).…”

Section: Introductionmentioning

confidence: 99%

“…Recent works proposed various methods for analyzing darknet traffic. Since the destination TCP or UDP port number provides a good indication of the sender's intentions (e.g., accessing port 23 may indicate an attempt to search for an accessible Telnet server), most of the previous research has focused on grouping ports into static clusters and detecting peaks or unusual trends in the volume of the clusters or individual ports [8], [7], [9], [10]. However, attacks are becoming more sophisticated, automated, and noisy (in terms of port access).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.

show abstract