Extended darknet: Multi-dimensional internet threat monitoring system

Akihiro Shimoda, Tatsuya Mori, Shigeki Goto

Research output: Contribution to journalArticle

1 Citation (Scopus)

Abstract

Internet threats caused by botnets/worms are one of the most important security issues to be addressed. Darknet, also called a dark IP address space, is one of the best solutions for monitoring anomalous packets sent by malicious software. However, since darknet is deployed only on an inactive IP address space, it is an inefficient way for monitoring a working network that has a considerable number of active IP addresses. The present paper addresses this problem. We propose a scalable, lightweight malicious packet monitoring system based on a multi-dimensional IP/port analysis. Our system significantly extends the monitoring scope of darknet. In order to extend the capacity of darknet, our approach leverages the active IP address space without affecting legitimate traffic. Multidimensional monitoring enables the monitoring of TCP ports with firewalls enabled on each of the IP addresses. We focus on delays of TCP syn/ack responses in the traffic. We locate syn/ack delayed packets and forward them to sensors or honeypots for further analysis. We also propose a policy-based flow classification and forwarding mechanism and develop a prototype of a monitoring system that implements our proposed architecture. We deploy our system on a campus network and perform several experiments for the evaluation of our system. We verify that our system can cover 89% of the IP addresses while darknet-based monitoring only covers 46%. On our campus network, our system monitors twice as many IP addresses as darknet.

Original languageEnglish
Pages (from-to)1915-1923
Number of pages9
JournalIEICE Transactions on Communications
VolumeE95-B
Issue number6
DOIs
Publication statusPublished - 2012 Jun

    Fingerprint

Keywords

  • Darknet
  • Internet threat
  • Multi-dimensional monitoring
  • Sensor

ASJC Scopus subject areas

  • Software
  • Computer Networks and Communications
  • Electrical and Electronic Engineering

Cite this