TY - GEN
T1 - Increasing the darkness of darknet traffic
AU - Haga, Yumehisa
AU - Saso, Akira
AU - Mori, Tatsuya
AU - Goto, Shigeki
PY - 2015
Y1 - 2015
N2 - A Darknet is a passive sensor system that monitors traffic routed to unused IP address space. Darknets have been widely used as tools to detect malicious activities such as propagating worms, thanks to the useful feature that most packets observed by a darknet can be assumed to have originated from non-legitimate hosts. Recent commoditization of Internet-scale survey traffic originating from legitimate hosts could overwhelm the traffic that was originally supposed to be monitored with a darknet. Based on this observation, we posed the following research question: »Can the Internet-scale survey traffic become noise when we analyze darknet traffic?» To answer this question, we propose a novel framework, ID2, to increase the darkness of darknet traffic, i.e., ID2 discriminates between Internet-scale survey traffic originating from legitimate hosts and other traffic potentially associated with malicious activities. It leverages two inrinsic characteristics of Internet-scale survey traffic: a network- level property and some form of footprint explicitly indicated by surveyors. When we analyzed darknet traffic using ID2, we saw that Internet-scale traffic can be noise. We also demonstrated that the discrimination of survey traffic exposes hidden traffic anomalies, which are invisible without using our technique.
AB - A Darknet is a passive sensor system that monitors traffic routed to unused IP address space. Darknets have been widely used as tools to detect malicious activities such as propagating worms, thanks to the useful feature that most packets observed by a darknet can be assumed to have originated from non-legitimate hosts. Recent commoditization of Internet-scale survey traffic originating from legitimate hosts could overwhelm the traffic that was originally supposed to be monitored with a darknet. Based on this observation, we posed the following research question: »Can the Internet-scale survey traffic become noise when we analyze darknet traffic?» To answer this question, we propose a novel framework, ID2, to increase the darkness of darknet traffic, i.e., ID2 discriminates between Internet-scale survey traffic originating from legitimate hosts and other traffic potentially associated with malicious activities. It leverages two inrinsic characteristics of Internet-scale survey traffic: a network- level property and some form of footprint explicitly indicated by surveyors. When we analyzed darknet traffic using ID2, we saw that Internet-scale traffic can be noise. We also demonstrated that the discrimination of survey traffic exposes hidden traffic anomalies, which are invisible without using our technique.
UR - http://www.scopus.com/inward/record.url?scp=84964874863&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84964874863&partnerID=8YFLogxK
U2 - 10.1109/GLOCOM.2014.7416973
DO - 10.1109/GLOCOM.2014.7416973
M3 - Conference contribution
AN - SCOPUS:84964874863
T3 - 2015 IEEE Global Communications Conference, GLOBECOM 2015
BT - 2015 IEEE Global Communications Conference, GLOBECOM 2015
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 58th IEEE Global Communications Conference, GLOBECOM 2015
Y2 - 6 December 2015 through 10 December 2015
ER -