Shedding light into the darknet: scanning characterization and detection of temporal changes

Rupesh Prajapati; Vasant Honavar; Dinghao Wu; John Yen; Michalis Kallitsis

doi:10.1145/3485983.3493347

Shedding light into the darknet: scanning characterization and detection of temporal changes

Rupesh Prajapati, Vasant Honavar, Dinghao Wu, John Yen, Michalis Kallitsis

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Network telescopes provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, network reconnaissance, and others. Analyses of this telescope data can highlight ongoing malicious events in the Internet which can be used to prevent or mitigate cyber-threats in real-time. However, large telescopes observe millions of events on a daily basis which renders the task of transforming this knowledge to meaningful insights challenging. In order to address this, we present a novel framework for characterizing Internet's background radiation and for tracking its temporal evolution. The proposed framework: (i) Extracts a high dimensional representation of telescope scanners composed of features distilled from telescope data and learns an information-preserving low-dimensional representation of these events that is amenable to clustering; (ii) Performs clustering of resulting representation space to characterize the scanners and (iii) Utilizes the clustering outcomes as "signatures"to detect temporal changes in the network telescope.

Original language	English (US)
Title of host publication	CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies
Publisher	Association for Computing Machinery, Inc
Pages	469-470
Number of pages	2
ISBN (Electronic)	9781450390989
DOIs	https://doi.org/10.1145/3485983.3493347
State	Published - Dec 2 2021
Event	17th ACM International Conference on emerging Networking EXperiments and Technologies, CoNEXT 2021 - Virtual, Online, Germany Duration: Dec 7 2021 → Dec 10 2021

Publication series

Name	CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies

Conference

Conference	17th ACM International Conference on emerging Networking EXperiments and Technologies, CoNEXT 2021
Country/Territory	Germany
City	Virtual, Online
Period	12/7/21 → 12/10/21

All Science Journal Classification (ASJC) codes

Hardware and Architecture
Computer Science Applications
Computer Networks and Communications

Access to Document

10.1145/3485983.3493347

Cite this

Prajapati, R., Honavar, V., Wu, D., Yen, J., & Kallitsis, M. (2021). Shedding light into the darknet: scanning characterization and detection of temporal changes. In CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies (pp. 469-470). (CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies). Association for Computing Machinery, Inc. https://doi.org/10.1145/3485983.3493347

Prajapati, Rupesh ; Honavar, Vasant ; Wu, Dinghao et al. / Shedding light into the darknet : scanning characterization and detection of temporal changes. CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies. Association for Computing Machinery, Inc, 2021. pp. 469-470 (CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies).

@inproceedings{81407de5b6b24ba0b165dea4e137bb68,

title = "Shedding light into the darknet: scanning characterization and detection of temporal changes",

abstract = "Network telescopes provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, network reconnaissance, and others. Analyses of this telescope data can highlight ongoing malicious events in the Internet which can be used to prevent or mitigate cyber-threats in real-time. However, large telescopes observe millions of events on a daily basis which renders the task of transforming this knowledge to meaningful insights challenging. In order to address this, we present a novel framework for characterizing Internet's background radiation and for tracking its temporal evolution. The proposed framework: (i) Extracts a high dimensional representation of telescope scanners composed of features distilled from telescope data and learns an information-preserving low-dimensional representation of these events that is amenable to clustering; (ii) Performs clustering of resulting representation space to characterize the scanners and (iii) Utilizes the clustering outcomes as {"}signatures{"}to detect temporal changes in the network telescope.",

author = "Rupesh Prajapati and Vasant Honavar and Dinghao Wu and John Yen and Michalis Kallitsis",

note = "Funding Information: We presented a novel framework towards network situational awareness. In addition to Darknet characterization (also done in other works, e.g., [4]), our approach utilizes the clustering outcomes to detect structural changes in the Darknet. Timely detection of such behavior would lead to rapid mitigation of emerging threats (e.g., zero-day exploits). As part of ongoing work, we plan to expand the set of features we select (e.g., introduce some of the ones in [3, 5]) to enhance the clustering interpretation. Moreover, given the limitations of running a centralized Darknet sensor [5], we plan to integrate additional data sources into our system (e.g., distributed honeypots, VirusTotal, ExploitDB, etc.) to further validate our results and to apply our techniques to other critical data sources. Acknowledgements This work is partially supported by the U.S. DHS under Grant Award Number 17STQAC00001-05-00 and by the NSF CNS-1823192 award. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies of the sponsor. Publisher Copyright: {\textcopyright} 2021 Owner/Author.; 17th ACM International Conference on emerging Networking EXperiments and Technologies, CoNEXT 2021 ; Conference date: 07-12-2021 Through 10-12-2021",

year = "2021",

month = dec,

day = "2",

doi = "10.1145/3485983.3493347",

language = "English (US)",

series = "CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies",

publisher = "Association for Computing Machinery, Inc",

pages = "469--470",

booktitle = "CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies",

}

Prajapati, R, Honavar, V , Wu, D , Yen, J & Kallitsis, M 2021, Shedding light into the darknet: scanning characterization and detection of temporal changes. in CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies. CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies, Association for Computing Machinery, Inc, pp. 469-470, 17th ACM International Conference on emerging Networking EXperiments and Technologies, CoNEXT 2021, Virtual, Online, Germany, 12/7/21. https://doi.org/10.1145/3485983.3493347

Shedding light into the darknet : scanning characterization and detection of temporal changes. / Prajapati, Rupesh; Honavar, Vasant ; Wu, Dinghao et al.

CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies. Association for Computing Machinery, Inc, 2021. p. 469-470 (CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Shedding light into the darknet

T2 - 17th ACM International Conference on emerging Networking EXperiments and Technologies, CoNEXT 2021

AU - Prajapati, Rupesh

AU - Honavar, Vasant

AU - Wu, Dinghao

AU - Yen, John

AU - Kallitsis, Michalis

N1 - Funding Information: We presented a novel framework towards network situational awareness. In addition to Darknet characterization (also done in other works, e.g., [4]), our approach utilizes the clustering outcomes to detect structural changes in the Darknet. Timely detection of such behavior would lead to rapid mitigation of emerging threats (e.g., zero-day exploits). As part of ongoing work, we plan to expand the set of features we select (e.g., introduce some of the ones in [3, 5]) to enhance the clustering interpretation. Moreover, given the limitations of running a centralized Darknet sensor [5], we plan to integrate additional data sources into our system (e.g., distributed honeypots, VirusTotal, ExploitDB, etc.) to further validate our results and to apply our techniques to other critical data sources. Acknowledgements This work is partially supported by the U.S. DHS under Grant Award Number 17STQAC00001-05-00 and by the NSF CNS-1823192 award. The views and conclusions contained here are those of the authors and should not be interpreted as necessarily representing the official policies of the sponsor. Publisher Copyright: © 2021 Owner/Author.

PY - 2021/12/2

Y1 - 2021/12/2

N2 - Network telescopes provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, network reconnaissance, and others. Analyses of this telescope data can highlight ongoing malicious events in the Internet which can be used to prevent or mitigate cyber-threats in real-time. However, large telescopes observe millions of events on a daily basis which renders the task of transforming this knowledge to meaningful insights challenging. In order to address this, we present a novel framework for characterizing Internet's background radiation and for tracking its temporal evolution. The proposed framework: (i) Extracts a high dimensional representation of telescope scanners composed of features distilled from telescope data and learns an information-preserving low-dimensional representation of these events that is amenable to clustering; (ii) Performs clustering of resulting representation space to characterize the scanners and (iii) Utilizes the clustering outcomes as "signatures"to detect temporal changes in the network telescope.

AB - Network telescopes provide a unique window into Internet-wide malicious activities associated with malware propagation, denial of service attacks, network reconnaissance, and others. Analyses of this telescope data can highlight ongoing malicious events in the Internet which can be used to prevent or mitigate cyber-threats in real-time. However, large telescopes observe millions of events on a daily basis which renders the task of transforming this knowledge to meaningful insights challenging. In order to address this, we present a novel framework for characterizing Internet's background radiation and for tracking its temporal evolution. The proposed framework: (i) Extracts a high dimensional representation of telescope scanners composed of features distilled from telescope data and learns an information-preserving low-dimensional representation of these events that is amenable to clustering; (ii) Performs clustering of resulting representation space to characterize the scanners and (iii) Utilizes the clustering outcomes as "signatures"to detect temporal changes in the network telescope.

UR - http://www.scopus.com/inward/record.url?scp=85121657625&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85121657625&partnerID=8YFLogxK

U2 - 10.1145/3485983.3493347

DO - 10.1145/3485983.3493347

M3 - Conference contribution

AN - SCOPUS:85121657625

T3 - CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies

SP - 469

EP - 470

BT - CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies

PB - Association for Computing Machinery, Inc

Y2 - 7 December 2021 through 10 December 2021

ER -

Prajapati R, Honavar V , Wu D , Yen J, Kallitsis M. Shedding light into the darknet: scanning characterization and detection of temporal changes. In CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies. Association for Computing Machinery, Inc. 2021. p. 469-470. (CoNEXT 2021 - Proceedings of the 17th International Conference on emerging Networking EXperiments and Technologies). doi: 10.1145/3485983.3493347

Shedding light into the darknet: scanning characterization and detection of temporal changes

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this