Publication detail

Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

PANG, S. KOMOSNÝ, D. ZHU, L. ZHANG, R. SARRAFZADEH, A. BAN, T. INOUE, D.

Original Title

Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

English Title

Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

Type

journal article

Language

en

Original Abstract

This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.

English abstract

This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.

Keywords

Darknet traffic; Malicious events grouping; Port scan; IP scan; Hybrid scan; Packet delay distribution; Traffic flow analysis

Released

13.10.2017

Pages from

5335

Pages to

5353

Pages count

19

BibTex


@article{BUT141089,
  author="Shaoning {Pang} and Dan {Komosný} and Lei {ZHU} and Ruibin {ZHANG} and Abdolhossein {SARRAFZADEH} and Tao {Ban} and Daisuke {Inoue}",
  title="Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis",
  annote="This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.",
  chapter="141089",
  doi="10.1007/s11277-016-3744-4",
  howpublished="online",
  number="4",
  volume="96",
  year="2017",
  month="october",
  pages="5335--5353",
  type="journal article"
}