Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates

Zakroum, Mehdi; Houmz, Abdellah; Ghogho, Mounir; Mezzour, Ghita; Lahmadi, Abdelkader; Jérôme, François; Koutbi, Mohammed El

doi:10.1109/isi.2018.8587323

Cited by 9 publications

(10 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…3) The performance of the prediction models are evaluated on the most targeted services using more than 300 days of probing traffic (more than 1.5 TB of data). We show that the probing rates are predictable with an average coefficient of determination R 2 ranging between 0.70 and 0.83, surpassing for most of the network services the performance of autoregressive-based models [14]. Also, we show that the information carried by the semantic similarity between ports contributes in defining an improved feature space which positively impacts the performance of the prediction model.…”

Section: Introductionmentioning

confidence: 84%

“…In relation with predictive models leveraging darknet traffic, the authors in [14] used the vector autoregressive model to predict the probing rates at the port level. Their approach for training the model consists in adapting the learning process to overcome the issue of the non-stationarity of the autoregressive model's parameters over time.…”

Section: Related Workmentioning

confidence: 99%

“…There exist an extensive collection of learning models for this purpose. For instance, in [14], the authors designed the non-stationary Vector Autoregressive (VAR) model to address the issue of non-stationarity of the probing rates time series. Even though the model showed satisfactory prediction results, its performance degrades in the case of ports having second order non-stationary probing time series such as 443 (https) and 3306 (mysql).…”

Section: Prediction Of Port Probing Ratesmentioning

confidence: 99%

See 2 more Smart Citations

Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

Zakroum

Jérôme

Chrisment

et al. 2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

Network reconnaissance is the first step preceding a cyber-attack. Hence, monitoring the probing activities is imperative to help security practitioners enhancing their awareness about Internet's large-scale events or peculiar events targeting their network. In this paper, we present a framework for an improved and efficient monitoring of the probing activities targeting network telescopes. Particularly, we model the probing rates which are a good indicator for measuring the cyber-security risk targeting network services. The approach consists of first inferring groups of network ports sharing similar probing characteristics through a new affinity metric capturing both temporal and semantic similarities between ports. Then, sequences of probing rates targeting similar ports are used as inputs to stacked Long Short-Term Memory (LSTM) neural networks to predict probing rates 1 hour and 1 day in advance. Finally, we describe two monitoring indicators that use the prediction models to infer anomalous probing traffic and to raise early threat warnings. We show that LSTM networks can accurately predict probing rates, outperforming the nonstationary autoregressive model, and we demonstrate that the monitoring indicators are efficient in assessing the cyber-security risk related to vulnerability disclosure.

show abstract

Section: Introductionmentioning

confidence: 84%

Section: Related Workmentioning

confidence: 99%

Section: Prediction Of Port Probing Ratesmentioning

confidence: 99%

See 1 more Smart Citation

Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

Zakroum

Jérôme

Chrisment

et al. 2022

IEEE Trans. Netw. Serv. Manage.

View full text Add to dashboard Cite

show abstract

“…Zakroum and their team observed that more than 80% of network probers target less than five ports in the whole darknet space most attacked ports SSH (22), RDP (3389), MySQL (3306) and FTP (21) while focusing on the HTTP (80) server (Zakroum et al , 2018).…”

Section: Related Workmentioning

confidence: 99%

Exploratory data analysis for cybersecurity

Miranda-Calle

Reddy

Dhawan

et al. 2021

WJE

View full text Add to dashboard Cite

Purpose The impact of cyberattacks all over the world has been increasing at a constant rate every year. Performing exploratory analysis helps organizations to identify, manage and safeguard the information that could be vulnerable to cyber-attacks. It encourages to the creation of a plan for security controls that can help to protect data and keep constant tabs on threats and monitor their organization’s networks for any breaches. Design/methodology/approach The purpose of this experimental study is to state the use of data science in analyzing data and to provide a more detailed view of the most common cybersecurity attacks, what are the most accessed logical ports, visible patterns, as well as the trends and occurrence of attacks. The data to be processed has been obtained by aggregating data provided by a company’s technology department, which includes network flow data produced by nine different types of attacks within every day user activities. This could be insightful for many companies to measure the damage caused by these breaches but also gives a foundation for future comparisons and serves as a basis for proactive measures within industry and organizations. Findings The most common cybersecurity attacks, most accessed logical ports and their visible patterns were found in the acquired data set. The strategies, which attackers have used with respect to time, type of attacks, specific ports, IP addresses and their relationships have been determined. The statistical hypothesis was also performed to check whether attackers were confined to perform random attacks or to any specific machines with some pattern. Originality/value Policies can be suggested such that if an attack is conducted on a specific machine, which can be prevented by identifying the machine, ports and duration of the attacks on which the attacker is targeting and to formulate such policies that the organization should follow to tackle these targeted attacks in the future.

show abstract

“…Where non-stationary VAR model consistently produces better results for services exhibiting high probing rate variability. More details could be found in the paper (Zakroum et al, 2018).…”

Section: Prediction Attack Ratesmentioning

confidence: 99%

ThreatPredict: From Global Social and Technical Big Data to Cyber Threat Forecast

Jérôme

Beck

Mezzour

et al. 2020

NATO Science for Peace and Security Series B: Physics and Biophysics

Self Cite

View full text Add to dashboard Cite

HAL is a multi-disciplinary open access archive for the deposit and dissemination of scientific research documents, whether they are published or not. The documents may come from teaching and research institutions in France or abroad, or from public or private research centers. L'archive ouverte pluridisciplinaire HAL, est destinée au dépôt et à la diffusion de documents scientifiques de niveau recherche, publiés ou non, émanant des établissements d'enseignement et de recherche français ou étrangers, des laboratoires publics ou privés.

show abstract

Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates

Cited by 9 publications

References 7 publications

Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

Exploratory data analysis for cybersecurity

ThreatPredict: From Global Social and Technical Big Data to Cyber Threat Forecast

Contact Info

Product

Resources

About