Publication detail

Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

PANG, S. KOMOSNÝ, D. ZHU, L. ZHANG, R. SARRAFZADEH, A. BAN, T. INOUE, D.

Original Title

Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis

Type

journal article in Web of Science

Language

English

Original Abstract

This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.

Keywords

Darknet traffic; Malicious events grouping; Port scan; IP scan; Hybrid scan; Packet delay distribution; Traffic flow analysis

Authors

PANG, S.; KOMOSNÝ, D.; ZHU, L.; ZHANG, R.; SARRAFZADEH, A.; BAN, T.; INOUE, D.

Released

13. 10. 2017

ISBN

0929-6212

Periodical

WIRELESS PERSONAL COMMUNICATIONS

Year of study

96

Number

4

State

Kingdom of the Netherlands

Pages from

5335

Pages to

5353

Pages count

19

BibTex

@article{BUT141089,
  author="Shaoning {Pang} and Dan {Komosný} and Lei {ZHU} and Ruibin {ZHANG} and Abdolhossein {SARRAFZADEH} and Tao {Ban} and Daisuke {Inoue}",
  title="Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis",
  journal="WIRELESS PERSONAL COMMUNICATIONS",
  year="2017",
  volume="96",
  number="4",
  pages="5335--5353",
  doi="10.1007/s11277-016-3744-4",
  issn="0929-6212"
}