Detection of Botnet Activities Through the Lens of a Large-Scale Darknet

Ban, Tao; Zhu, Lei; Shimamura, Jumpei; Pang, Shaoning; Inoue, Daisuke; Nakao, Koji

doi:10.1007/978-3-319-70139-4_45

Cited by 14 publications

(8 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Here, we present some prior research that had a similar scope to our problem and used darknet traffic but did not focus on synchronization. There are several methods to detect anomalies by detecting change points in darknet traffic, such as ChangeFinder that was introduced as a comparison method in a previous study [10], [59]- [61]. Ahmedet al proposed a sliding window-based adaptive cumulative sum (CUSUM) algorithm, which is a sequential analysis method for detecting drastic changes in darknet traffic [59].…”

Section: B Malware Activity Detection On Darknetsmentioning

confidence: 99%

“…Inoue et al [60] employed the ChangeFinder algorithm [10] to detect sudden change points in darknet traffic with a low computational cost. Ban et al proposed an abrupt-change detection algorithm that can detect botnet probe campaigns with a high detection rate by searching for temporal coincidences in botnet activities observed on the darknet [61]. The aforementioned change detection methods all share the same drawback-they cannot achieve high accuracy without focusing on specific protocol ports because they detect change points without distinguishing between many sources of noisy communications, such as misconfigured traffic.…”

Section: B Malware Activity Detection On Darknetsmentioning

confidence: 99%

“…Change Detection 2017 [61] Proposed an abrupt-change detection algorithm that can detect botnet probe campaigns with a high detection rate by searching for temporal coincidences in botnet activities seen on the darknet.…”

Section: Anomalousmentioning

confidence: 99%

See 2 more Smart Citations

Dark-TRACER: Early Detection Framework for Malware Activity Based on Anomalous Spatiotemporal Patterns

et al. 2022

Self Cite

View full text Add to dashboard Cite

As cyberattacks become increasingly prevalent globally, there is a need to identify trends in these cyberattacks and take suitable countermeasures quickly. The darknet, an unused IP address space, is relatively conducive to observing and analyzing indiscriminate cyberattacks because of the absence of legitimate communication. Indiscriminate scanning activities by malware to spread their infections often show similar spatiotemporal patterns, and such trends are also observed on the darknet. To address the problem of early detection of malware activities, we focus on anomalous synchronization of spatiotemporal patterns observed in darknet traffic data. Our previous studies proposed algorithms that automatically estimate and detect anomalous spatiotemporal patterns of darknet traffic in real time by employing three independent machine learning methods. In this study, we integrated the previously proposed methods into a single framework, which we refer to as Dark-TRACER, and conducted quantitative experiments to evaluate its ability to detect these malware activities. We used darknet traffic data from October 2018 to October 2020 observed in our largescale darknet sensors (up to /17 subnet scales). The results demonstrate that the weaknesses of the methods complement each other, and the proposed framework achieves an overall 100% recall rate. In addition, Dark-TRACER detects the average of malware activities 153.6 days earlier than when those malware activities are revealed to the public by reputable third-party security research organizations. Finally, we evaluated the cost of human analysis to implement the proposed system and demonstrated that two analysts can perform the daily operations necessary to operate the framework in approximately 7.3 h.

show abstract

Section: B Malware Activity Detection On Darknetsmentioning

confidence: 99%

Section: B Malware Activity Detection On Darknetsmentioning

confidence: 99%

See 1 more Smart Citation

Dark-TRACER: Early Detection Framework for Malware Activity Based on Anomalous Spatiotemporal Patterns

et al. 2022

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, these change point detection methods have many limitations in actual operation. For example, when analyzing all TCP destination port numbers separately (2 16 ), an enormous amount of alerts can be obtained, and multiple high-performance servers are required. As an alternative, it is conceivable to aggregate and analyze for each range of the destination port number, but it is necessary to adjust the parameters according to the time when the traffic volume changes dramatically or moderately.…”

Section: Related Workmentioning

confidence: 99%

Real-Time Detection of Global Cyberthreat Based on Darknet by Estimating Anomalous Synchronization Using Graphical Lasso

Han

Shimamura²,

Takahashi

et al. 2020

IEICE Trans. Inf. & Syst.

Self Cite

View full text Add to dashboard Cite

With the rapid evolution and increase of cyberthreats in recent years, it is necessary to detect and understand it promptly and precisely to reduce the impact of cyberthreats. A darknet, which is an unused IP address space, has a high signal-to-noise ratio, so it is easier to understand the global tendency of malicious traffic in cyberspace than other observation networks. In this paper, we aim to capture global cyberthreats in real time. Since multiple hosts infected with similar malware tend to perform similar behavior, we propose a system that estimates a degree of synchronizations from the patterns of packet transmission time among the source hosts observed in unit time of the darknet and detects anomalies in real time. In our evaluation, we perform our proof-of-concept implementation of the proposed engine to demonstrate its feasibility and effectiveness, and we detect cyberthreats with an accuracy of 97.14%. This work is the first practical trial that detects cyberthreats from in-the-wild darknet traffic regardless of new types and variants in real time, and it quantitatively evaluates the result.

show abstract

“…In prior research [1], [2], [14], [7], [15], [10], [9], [16], [17], [5], [18], [19], darknet data is used to detect botnet hosts, typically by clustering and classifying the src IPs with features such as the dst port and packet size.…”

Section: A Mining Darknet Trafficmentioning

confidence: 99%

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.

show abstract

Detection of Botnet Activities Through the Lens of a Large-Scale Darknet

Cited by 14 publications

References 18 publications

Dark-TRACER: Early Detection Framework for Malware Activity Based on Anomalous Spatiotemporal Patterns

Dark-TRACER: Early Detection Framework for Malware Activity Based on Anomalous Spatiotemporal Patterns

Real-Time Detection of Global Cyberthreat Based on Darknet by Estimating Anomalous Synchronization Using Graphical Lasso

DANTE: A framework for mining and monitoring darknet traffic

Contact Info

Product

Resources

About