A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic

Choi, Sang-Soo; Song, Jungsuk; Kim, Seokhun; Kim, Soo-Kyun

doi:10.1002/sec.796

Cited by 9 publications

(4 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In prior research [1], [2], [14], [7], [15], [10], [9], [16], [17], [5], [18], [19], darknet data is used to detect botnet hosts, typically by clustering and classifying the src IPs with features such as the dst port and packet size.…”

Section: A Mining Darknet Trafficmentioning

confidence: 99%

“…Unlike other methods that used darknet data streams, e.g. [18], DANTE is not trying to find anomalies on specific ports, but rather find concepts and trends in the data. While methods that find correlations between ports exist [13], (1) they operate offline detecting patterns months after the fact, and (2) do not track the patterns over time.…”

Section: Analysis Of Darknet Trafficmentioning

confidence: 99%

See 1 more Smart Citation

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.

show abstract

Section: A Mining Darknet Trafficmentioning

confidence: 99%

Section: Analysis Of Darknet Trafficmentioning

confidence: 99%

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…This result means that the proposed verification methodology can contribute to detection of true negatives that were not identified by the security analyst. Some examples of the 140 true negatives can be referred from our previous work [17].…”

Section: Performance Evaluationmentioning

confidence: 99%

Automated Verification Methodology of Security Events Based on Heuristic Analysis

Song

Lee

Kim

et al. 2015

International Journal of Distributed Sensor Networks

Self Cite

View full text Add to dashboard Cite

We present an automated verification methodology of the security events, that is, IDS alerts, based on heuristic analysis. The proposed verification methodology aims to automatically identify real cyberattacks from the security events and filter out false positive, so that the security analyst is able to conduct security monitoring and response more effectively. For the proposed verification methodology, we used the 1,528,730,667 security events that were obtained from Science and Technology Security Center (S&T-SEC). We then extracted the core security events that were caused by the real cyberattacks. Among the core security events, we selected the top 20 types of the security events in the number of the real attacks that they raised. By analyzing the top 20 types of the security events, we discovered essential elements and optional elements for using in the automated verification of the security events. The evaluation results showed that the proposed verification methodology could contribute to the reduction (about 67%) of the meaningless security events. Furthermore, we demonstrated that the proposed verification methodology contributed to the detection of 140 true negatives that were not identified by the security analyst and the total accuracy of the proposed verification methodology was 96.1%.

show abstract

“…In addition, we carried out a practical correlation analysis of IDS alerts and the darknet traffic, focusing on internal hosts that sent packet(s) to the darknet and showed how security operators are able to effectively identify internal attack hosts using the darknet traffic [13]. However, we did not provide any detailed information about the attack activities of the internal attack hosts and did not inspect them using security software.…”

Section: Introductionmentioning

confidence: 99%

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

et al. 2017

Self Cite

View full text Add to dashboard Cite

Abstract:The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet. Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet ('the darknet traffic') do not contain a payload. This means that we are unable to get real malware from the darknet traffic. This situation makes it difficult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet traffic are infected by real malware or not. In this paper, we present the overall procedure of the in-depth analysis between the darknet traffic and IDS alerts using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results. The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts so that they are able to identify and trace the root cause of the darknet traffic. The experimental results show that correlation analysis between the darknet traffic and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to find out what kinds of malware infected them.

show abstract

A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic

Cited by 9 publications

References 22 publications

DANTE: A framework for mining and monitoring darknet traffic

DANTE: A framework for mining and monitoring darknet traffic

Automated Verification Methodology of Security Events Based on Heuristic Analysis

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

Contact Info

Product

Resources

About