TY - JOUR
T1 - Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes
AU - Kallitsis, Michalis
AU - Prajapati, Rupesh
AU - Honavar, Vasant
AU - Wu, Dinghao
AU - Yen, John
N1 - Publisher Copyright:
© 2005-2012 IEEE.
PY - 2022
Y1 - 2022
N2 - Network telescopes or 'Darknets' received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large network telescopes, however, observe millions of nefarious scanning activities on a daily basis which makes the transformation of the captured information into meaningful threat intelligence challenging. To address this challenge, we present a novel framework for characterizing the structure and temporal evolution of scanning behaviors observed in network telescopes. The proposed framework includes four components. It (i) extracts a rich, high-dimensional representation of scanning profiles composed of features distilled from network telescope data; (ii) learns, in an unsupervised fashion, information-preserving succinct representations of these scanning behaviors using deep representation learning that is amenable to clustering; (iii) performs clustering of the scanner profiles in the resulting latent representation space on daily Darknet data, and (iv) detects temporal changes in scanning behavior using techniques from optimal mass transport. We robustly evaluate the proposed system using both synthetic data and real-world Darknet data. We demonstrate its ability to detect real-world, high-impact cybersecurity incidents such as the onset of the Mirai botnet in late 2016 and several interesting cluster formations in early 2022 (e.g., heavy scanners, evolved Mirai variants, Darknet 'backscatter' activities, etc.). Comparisons with state-of-the-art methods showcase that the integration of the proposed features with the deep representation learning scheme leads to better classification performance of Darknet scanners.
AB - Network telescopes or 'Darknets' received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large network telescopes, however, observe millions of nefarious scanning activities on a daily basis which makes the transformation of the captured information into meaningful threat intelligence challenging. To address this challenge, we present a novel framework for characterizing the structure and temporal evolution of scanning behaviors observed in network telescopes. The proposed framework includes four components. It (i) extracts a rich, high-dimensional representation of scanning profiles composed of features distilled from network telescope data; (ii) learns, in an unsupervised fashion, information-preserving succinct representations of these scanning behaviors using deep representation learning that is amenable to clustering; (iii) performs clustering of the scanner profiles in the resulting latent representation space on daily Darknet data, and (iv) detects temporal changes in scanning behavior using techniques from optimal mass transport. We robustly evaluate the proposed system using both synthetic data and real-world Darknet data. We demonstrate its ability to detect real-world, high-impact cybersecurity incidents such as the onset of the Mirai botnet in late 2016 and several interesting cluster formations in early 2022 (e.g., heavy scanners, evolved Mirai variants, Darknet 'backscatter' activities, etc.). Comparisons with state-of-the-art methods showcase that the integration of the proposed features with the deep representation learning scheme leads to better classification performance of Darknet scanners.
UR - http://www.scopus.com/inward/record.url?scp=85139849328&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85139849328&partnerID=8YFLogxK
U2 - 10.1109/TIFS.2022.3211644
DO - 10.1109/TIFS.2022.3211644
M3 - Article
AN - SCOPUS:85139849328
SN - 1556-6013
VL - 17
SP - 3611
EP - 3625
JO - IEEE Transactions on Information Forensics and Security
JF - IEEE Transactions on Information Forensics and Security
ER -