Extended darknet

Multi-dimensional internet threat monitoring system

Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

    Research output: Contribution to journalArticle

    1 Citation (Scopus)

    Abstract

    Internet threats caused by botnets/worms are one of the most important security issues to be addressed. Darknet, also called a dark IP address space, is one of the best solutions for monitoring anomalous packets sent by malicious software. However, since darknet is deployed only on an inactive IP address space, it is an inefficient way for monitoring a working network that has a considerable number of active IP addresses. The present paper addresses this problem. We propose a scalable, lightweight malicious packet monitoring system based on a multi-dimensional IP/port analysis. Our system significantly extends the monitoring scope of darknet. In order to extend the capacity of darknet, our approach leverages the active IP address space without affecting legitimate traffic. Multidimensional monitoring enables the monitoring of TCP ports with firewalls enabled on each of the IP addresses. We focus on delays of TCP syn/ack responses in the traffic. We locate syn/ack delayed packets and forward them to sensors or honeypots for further analysis. We also propose a policy-based flow classification and forwarding mechanism and develop a prototype of a monitoring system that implements our proposed architecture. We deploy our system on a campus network and perform several experiments for the evaluation of our system. We verify that our system can cover 89% of the IP addresses while darknet-based monitoring only covers 46%. On our campus network, our system monitors twice as many IP addresses as darknet.

    Original languageEnglish
    Pages (from-to)1915-1923
    Number of pages9
    JournalIEICE Transactions on Communications
    VolumeE95-B
    Issue number6
    DOIs
    Publication statusPublished - 2012 Jun

    Fingerprint

    Computer systems
    Internet
    Monitoring
    Computer worms
    Sensors
    Experiments

    Keywords

    • Darknet
    • Internet threat
    • Multi-dimensional monitoring
    • Sensor

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Computer Networks and Communications
    • Software

    Cite this

    Extended darknet : Multi-dimensional internet threat monitoring system. / Shimoda, Akihiro; Mori, Tatsuya; Goto, Shigeki.

    In: IEICE Transactions on Communications, Vol. E95-B, No. 6, 06.2012, p. 1915-1923.

    Research output: Contribution to journalArticle

    Shimoda, Akihiro ; Mori, Tatsuya ; Goto, Shigeki. / Extended darknet : Multi-dimensional internet threat monitoring system. In: IEICE Transactions on Communications. 2012 ; Vol. E95-B, No. 6. pp. 1915-1923.
    @article{239446e936ad483a831e5e8911de7ca3,
    title = "Extended darknet: Multi-dimensional internet threat monitoring system",
    abstract = "Internet threats caused by botnets/worms are one of the most important security issues to be addressed. Darknet, also called a dark IP address space, is one of the best solutions for monitoring anomalous packets sent by malicious software. However, since darknet is deployed only on an inactive IP address space, it is an inefficient way for monitoring a working network that has a considerable number of active IP addresses. The present paper addresses this problem. We propose a scalable, lightweight malicious packet monitoring system based on a multi-dimensional IP/port analysis. Our system significantly extends the monitoring scope of darknet. In order to extend the capacity of darknet, our approach leverages the active IP address space without affecting legitimate traffic. Multidimensional monitoring enables the monitoring of TCP ports with firewalls enabled on each of the IP addresses. We focus on delays of TCP syn/ack responses in the traffic. We locate syn/ack delayed packets and forward them to sensors or honeypots for further analysis. We also propose a policy-based flow classification and forwarding mechanism and develop a prototype of a monitoring system that implements our proposed architecture. We deploy our system on a campus network and perform several experiments for the evaluation of our system. We verify that our system can cover 89{\%} of the IP addresses while darknet-based monitoring only covers 46{\%}. On our campus network, our system monitors twice as many IP addresses as darknet.",
    keywords = "Darknet, Internet threat, Multi-dimensional monitoring, Sensor",
    author = "Akihiro Shimoda and Tatsuya Mori and Shigeki Goto",
    year = "2012",
    month = "6",
    doi = "10.1587/transcom.E95.B.1915",
    language = "English",
    volume = "E95-B",
    pages = "1915--1923",
    journal = "IEICE Transactions on Communications",
    issn = "0916-8516",
    publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",
    number = "6",

    }

    TY - JOUR

    T1 - Extended darknet

    T2 - Multi-dimensional internet threat monitoring system

    AU - Shimoda, Akihiro

    AU - Mori, Tatsuya

    AU - Goto, Shigeki

    PY - 2012/6

    Y1 - 2012/6

    N2 - Internet threats caused by botnets/worms are one of the most important security issues to be addressed. Darknet, also called a dark IP address space, is one of the best solutions for monitoring anomalous packets sent by malicious software. However, since darknet is deployed only on an inactive IP address space, it is an inefficient way for monitoring a working network that has a considerable number of active IP addresses. The present paper addresses this problem. We propose a scalable, lightweight malicious packet monitoring system based on a multi-dimensional IP/port analysis. Our system significantly extends the monitoring scope of darknet. In order to extend the capacity of darknet, our approach leverages the active IP address space without affecting legitimate traffic. Multidimensional monitoring enables the monitoring of TCP ports with firewalls enabled on each of the IP addresses. We focus on delays of TCP syn/ack responses in the traffic. We locate syn/ack delayed packets and forward them to sensors or honeypots for further analysis. We also propose a policy-based flow classification and forwarding mechanism and develop a prototype of a monitoring system that implements our proposed architecture. We deploy our system on a campus network and perform several experiments for the evaluation of our system. We verify that our system can cover 89% of the IP addresses while darknet-based monitoring only covers 46%. On our campus network, our system monitors twice as many IP addresses as darknet.

    AB - Internet threats caused by botnets/worms are one of the most important security issues to be addressed. Darknet, also called a dark IP address space, is one of the best solutions for monitoring anomalous packets sent by malicious software. However, since darknet is deployed only on an inactive IP address space, it is an inefficient way for monitoring a working network that has a considerable number of active IP addresses. The present paper addresses this problem. We propose a scalable, lightweight malicious packet monitoring system based on a multi-dimensional IP/port analysis. Our system significantly extends the monitoring scope of darknet. In order to extend the capacity of darknet, our approach leverages the active IP address space without affecting legitimate traffic. Multidimensional monitoring enables the monitoring of TCP ports with firewalls enabled on each of the IP addresses. We focus on delays of TCP syn/ack responses in the traffic. We locate syn/ack delayed packets and forward them to sensors or honeypots for further analysis. We also propose a policy-based flow classification and forwarding mechanism and develop a prototype of a monitoring system that implements our proposed architecture. We deploy our system on a campus network and perform several experiments for the evaluation of our system. We verify that our system can cover 89% of the IP addresses while darknet-based monitoring only covers 46%. On our campus network, our system monitors twice as many IP addresses as darknet.

    KW - Darknet

    KW - Internet threat

    KW - Multi-dimensional monitoring

    KW - Sensor

    UR - http://www.scopus.com/inward/record.url?scp=84861822377&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84861822377&partnerID=8YFLogxK

    U2 - 10.1587/transcom.E95.B.1915

    DO - 10.1587/transcom.E95.B.1915

    M3 - Article

    VL - E95-B

    SP - 1915

    EP - 1923

    JO - IEICE Transactions on Communications

    JF - IEICE Transactions on Communications

    SN - 0916-8516

    IS - 6

    ER -