This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from… Click to show full abstract
This paper proposes a host behavior based darknet traffic decomposition approach to identifying groups of malicious events from massive historical darknet traffic. In this approach, we segment traffic flows from captured darknet data, distinguish scan from non-scan flows, and categorize scans according to scan width spreads. Consequently, event groups are appraised by applying the criterion that malicious events generated by the same attacker or malicious software should have similar average packet delay, AvgDly. We have applied the proposed approach to 12 months darknet traffic data for malicious events grouping. As a result, several large scale event groups are discovered on host behavior in the category of port scan, IP scan and hybrid scan, respectively.
Journal Title: Wireless Personal Communications
Year Published: 2017
Link to full text (if available)
Share on Social Media: Sign Up to like & get
recommendations!