Detection of DDoS Backscatter Based on Traffic Features of Darknet TCP Packets

Furutani, Nobuaki; Ban, Tao; Nakazato, Junji; Shimamura, Jumpei; Kitazono, Jun; Ozawa, Seiichi

doi:10.1109/asiajcis.2014.23

Cited by 19 publications

(9 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In prior research [1], [2], [14], [7], [15], [10], [9], [16], [17], [5], [18], [19], darknet data is used to detect botnet hosts, typically by clustering and classifying the src IPs with features such as the dst port and packet size.…”

Section: A Mining Darknet Trafficmentioning

confidence: 99%

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.

show abstract

Section: A Mining Darknet Trafficmentioning

confidence: 99%

DANTE: A framework for mining and monitoring darknet traffic

Cohen¹,

Mirsky²,

Elovici³

et al. 2020

Preprint

View full text Add to dashboard Cite

show abstract

“…Through investigation of related works, we find that detection features mainly include: entropy [24]- [27], conditional entropy [28], Renyi entropy [29], ϕ-entropy of source ip (destination ip, protocol) [30], occurrence rate of TCP packet (UDP packet, ICMP packet) [25], percent of packets with the port number 80, variance of the numbers of packets to each destination ip, average of payloads, probability of occurrence of IP [31], mean time intervals (MTI), TTL, time stamp, ACK value, SYN value [32], variation index of source IPs [33], answer resource record, authority resource record, average packet size [34] and etc. Among the above 38 features, the most widely used features are the following 13 ones: entropy of source ip (H (Sip)), entropy of destination ip (H (Dip)), entropy of source port (H (Sport)), entropy of destination port (H (Dport)), conditional entropy of source ip given destination ip (H (Sip | Dip)), conditional entropy of source ip given destination port (H (Sip | Dport)), conditional entropy of destination port given destination ip (H (Dport | Dip)), One-Way Connection Density (OWCD), entropy of packet type (H (PacType)), occurrence rate of TCP packet (TCPRate), occurrence rate of UDP packet (UDPRate) and occurrence rate of ICMP packet (ICMPRate), time interval of packets (PckTimeInt).…”

Section: A Candidate Feature Setmentioning

confidence: 99%

Semi-Supervised K-Means DDoS Detection Method Using Hybrid Feature Selection Algorithm

Guo

et al. 2019

IEEE Access

121

View full text Add to dashboard Cite

Distributed denial of service (DDoS) attack is an attempt to make an online service unavailable by overwhelming it with traffic from multiple sources. Therefore, it is necessary to propose an effective method to detect DDoS attack from massive data traffics. However, the existing schemes have some limitations, including that supervised learning methods, need large numbers of labeled data and unsupervised learning algorithms have relatively low detection rate and high false positive rate. In order to tackle these issues, this paper presents a semi-supervised weighted k-means detection method. Specifically, we firstly present a Hadoop-based hybrid feature selection algorithm to find the most effective feature sets and propose an improved density-based initial cluster centers selection algorithm to solve the problem of outliers and local optimal. Then, we provide the Semi-supervised K-means algorithm using hybrid feature selection (SKM-HFS) to detect attacks. Finally, we exploit DARPA DDoS dataset, CAIDA ''DDoS attack 2007'' dataset, CICIDS ''DDoS attack 2017'' dataset and real-world dataset to carry out the verification experiment. The experiment results have demonstrated that the proposed method outperforms the benchmark in the respect of detection performance and technique for order preference by similarity to an ideal solution (TOPSIS) evaluation factor.INDEX TERMS DDoS attack, semi-supervised k-means, Hadoop-based hybrid feature selection, ratio of average sum of squared errors (SSE) to cluster distance (RSD), TOPSIS.

show abstract

“…Cyber attacks are currently experiencing an exciting development with various targets and patterns [1][2][3][4][5]. DDoS is a malicious attack that blocks the traffic of a server service by flooding the target or the surrounding infrastructure [6][7][8]. Millennials are targets and attackers to disrupt and undermine reputation.…”

Section: Introductionmentioning

confidence: 99%

Network Forensics Against Volumetric-Based Distributed Denial of Service Attacks on Cloud and the Edge Computing

Yudhana¹,

Riadi²,

Suharti³

2022

IJSSE

View full text Add to dashboard Cite

Cyber attacks are increasingly rampant and even damage the reputation of companies, agencies, and services. DDoS attacks have been overgrowing in the last year, which has resulted in substantial losses. Volumetric-based Distributed Denial of Service (DDoS) is a hazardous attack type because it can consume server resources, causing the server to be unable to serve customer requests. The network design consisting of hardware and software becomes the essential capital that is a determinant of the quality of a network in the long term. A firewall is one way to stop the occurrence of DDoS. Forensics and mitigation in this study apply Packet Filtering Firewall and Circuit Level Gateway Firewall against ICMP-Flood DDoS attacks. The research methodology is a simulated experiment on cloud and edge computing networks. Forensics and mitigation in cloud computing are carried out at layer 3, the Internet Protocol layer TCP/IP model, by applying a Packet-Filtering Firewall with a success rate of 64%-69% traffic reduction. In contrast, the success of reducing server resource usage is 73.75%. At the same time, Edge computing is carried out at layer 4, namely the Transport Protocol layer TCP/IP model, by applying a Circuit-Level Gateway Firewall with a success rate of reducing traffic by 55%-98.88%. In comparison, the success of lowering server resource usage is 96% and restoring traffic and paralyzed servers to normal position.

show abstract

Detection of DDoS Backscatter Based on Traffic Features of Darknet TCP Packets

Cited by 19 publications

References 14 publications

DANTE: A framework for mining and monitoring darknet traffic

DANTE: A framework for mining and monitoring darknet traffic

Semi-Supervised K-Means DDoS Detection Method Using Hybrid Feature Selection Algorithm

Network Forensics Against Volumetric-Based Distributed Denial of Service Attacks on Cloud and the Edge Computing

Contact Info

Product

Resources

About