Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes

Network telescopes or "Darknets" received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the re...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE transactions on information forensics and security 2022, Vol.17, p.1-1
Hauptverfasser:	Kallitsis, Michalis, Prajapati, Rupesh, Honavar, Vasant, Wu, Dinghao, Yen, John
Format:	Artikel
Sprache:	eng
Schlagworte:	anomaly detection autoencoders Backscattering Behavior Behavioral sciences Botnet Clustering Cybersecurity deep learning Denial of service attacks Evolution Feature extraction Intelligence gathering Internet Internet-wide measurements Learning Malware Mass transport Network telescope Representations Scanners Scanning Security Task analysis Telescopes Threat evaluation
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	1
container_issue
container_start_page	1
container_title	IEEE transactions on information forensics and security
container_volume	17
creator	Kallitsis, Michalis Prajapati, Rupesh Honavar, Vasant Wu, Dinghao Yen, John
description	Network telescopes or "Darknets" received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large network telescopes, however, observe millions of nefarious scanning activities on a daily basis which makes the transformation of the captured information into meaningful threat intelligence challenging. To address this challenge, we present a novel framework for characterizing the structure and temporal evolution of scanning behaviors observed in network telescopes. The proposed framework includes four components. It (i) extracts a rich, high-dimensional representation of scanning profiles composed of features distilled from network telescope data; (ii) learns, in an unsupervised fashion, information-preserving succinct representations of these scanning behaviors using deep representation learning that is amenable to clustering; (iii) performs clustering of the scanner profiles in the resulting latent representation space on daily Darknet data, and (iv) detects temporal changes in scanning behavior using techniques from optimal mass transport . We robustly evaluate the proposed system using both synthetic data and real-world Darknet data. We demonstrate its ability to detect real-world, high-impact cybersecurity incidents such as the onset of the Mirai botnet in late 2016 and several interesting cluster formations in early 2022 (e.g., heavy scanners, evolved Mirai variants, Darknet "backscatter" activities, etc.). Comparisons with state-of-the-art methods showcase that the integration of the proposed features with the deep representation learning scheme leads to better classification performance of Darknet scanners.
doi_str_mv	10.1109/TIFS.2022.3211644
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_proquest_journals_2724732558</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>9908582</ieee_id><sourcerecordid>2724732558</sourcerecordid><originalsourceid>FETCH-LOGICAL-c336t-53f0d605c35de85cab5b5061440df3686ec2e4fbc1632afed5e16d27af67a2393</originalsourceid><addsrcrecordid>eNo9kE1PwkAQhjdGExH9AcZLE8_Fnf1qe1QUJWn0AJ43y3YWiritu0Xjv5cK4TSTN887kzyEXAMdAdDibj6dzEaMMjbiDEAJcUIGIKVKFWVwetyBn5OLGNeUCgEqH5DZI3Zou9ovE-OrZOo7DG3A_2C8Mn6JMal9MrPG-z57wJX5rpvQh6UJS0xesftpwkcyxw1G27QYL8mZM5uIV4c5JO-Tp_n4JS3fnqfj-zK1nKsuldzRSlFpuawwl9Ys5EJSBULQynGVK7QMhVtYUJwZh5VEUBXLjFOZYbzgQ3K7v9uG5muLsdPrZhv87qVmGRMZZ1LmOwr2lA1NjAGdbkP9acKvBqp7d7p3p3t3-uBu17nZd2pEPPJFQXOZM_4Hdphqmg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>2724732558</pqid></control><display><type>article</type><title>Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes</title><source>IEEE Electronic Library (IEL)</source><creator>Kallitsis, Michalis ; Prajapati, Rupesh ; Honavar, Vasant ; Wu, Dinghao ; Yen, John</creator><creatorcontrib>Kallitsis, Michalis ; Prajapati, Rupesh ; Honavar, Vasant ; Wu, Dinghao ; Yen, John</creatorcontrib><description>Network telescopes or "Darknets" received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large network telescopes, however, observe millions of nefarious scanning activities on a daily basis which makes the transformation of the captured information into meaningful threat intelligence challenging. To address this challenge, we present a novel framework for characterizing the structure and temporal evolution of scanning behaviors observed in network telescopes. The proposed framework includes four components. It (i) extracts a rich, high-dimensional representation of scanning profiles composed of features distilled from network telescope data; (ii) learns, in an unsupervised fashion, information-preserving succinct representations of these scanning behaviors using deep representation learning that is amenable to clustering; (iii) performs clustering of the scanner profiles in the resulting latent representation space on daily Darknet data, and (iv) detects temporal changes in scanning behavior using techniques from optimal mass transport . We robustly evaluate the proposed system using both synthetic data and real-world Darknet data. We demonstrate its ability to detect real-world, high-impact cybersecurity incidents such as the onset of the Mirai botnet in late 2016 and several interesting cluster formations in early 2022 (e.g., heavy scanners, evolved Mirai variants, Darknet "backscatter" activities, etc.). Comparisons with state-of-the-art methods showcase that the integration of the proposed features with the deep representation learning scheme leads to better classification performance of Darknet scanners.</description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2022.3211644</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>anomaly detection ; autoencoders ; Backscattering ; Behavior ; Behavioral sciences ; Botnet ; Clustering ; Cybersecurity ; deep learning ; Denial of service attacks ; Evolution ; Feature extraction ; Intelligence gathering ; Internet ; Internet-wide measurements ; Learning ; Malware ; Mass transport ; Network telescope ; Representations ; Scanners ; Scanning ; Security ; Task analysis ; Telescopes ; Threat evaluation</subject><ispartof>IEEE transactions on information forensics and security, 2022, Vol.17, p.1-1</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2022</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c336t-53f0d605c35de85cab5b5061440df3686ec2e4fbc1632afed5e16d27af67a2393</citedby><cites>FETCH-LOGICAL-c336t-53f0d605c35de85cab5b5061440df3686ec2e4fbc1632afed5e16d27af67a2393</cites><orcidid>0000-0001-5399-3489 ; 0000-0001-8086-499X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/9908582$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,4024,27923,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/9908582$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Kallitsis, Michalis</creatorcontrib><creatorcontrib>Prajapati, Rupesh</creatorcontrib><creatorcontrib>Honavar, Vasant</creatorcontrib><creatorcontrib>Wu, Dinghao</creatorcontrib><creatorcontrib>Yen, John</creatorcontrib><title>Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description>Network telescopes or "Darknets" received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large network telescopes, however, observe millions of nefarious scanning activities on a daily basis which makes the transformation of the captured information into meaningful threat intelligence challenging. To address this challenge, we present a novel framework for characterizing the structure and temporal evolution of scanning behaviors observed in network telescopes. The proposed framework includes four components. It (i) extracts a rich, high-dimensional representation of scanning profiles composed of features distilled from network telescope data; (ii) learns, in an unsupervised fashion, information-preserving succinct representations of these scanning behaviors using deep representation learning that is amenable to clustering; (iii) performs clustering of the scanner profiles in the resulting latent representation space on daily Darknet data, and (iv) detects temporal changes in scanning behavior using techniques from optimal mass transport . We robustly evaluate the proposed system using both synthetic data and real-world Darknet data. We demonstrate its ability to detect real-world, high-impact cybersecurity incidents such as the onset of the Mirai botnet in late 2016 and several interesting cluster formations in early 2022 (e.g., heavy scanners, evolved Mirai variants, Darknet "backscatter" activities, etc.). Comparisons with state-of-the-art methods showcase that the integration of the proposed features with the deep representation learning scheme leads to better classification performance of Darknet scanners.</description><subject>anomaly detection</subject><subject>autoencoders</subject><subject>Backscattering</subject><subject>Behavior</subject><subject>Behavioral sciences</subject><subject>Botnet</subject><subject>Clustering</subject><subject>Cybersecurity</subject><subject>deep learning</subject><subject>Denial of service attacks</subject><subject>Evolution</subject><subject>Feature extraction</subject><subject>Intelligence gathering</subject><subject>Internet</subject><subject>Internet-wide measurements</subject><subject>Learning</subject><subject>Malware</subject><subject>Mass transport</subject><subject>Network telescope</subject><subject>Representations</subject><subject>Scanners</subject><subject>Scanning</subject><subject>Security</subject><subject>Task analysis</subject><subject>Telescopes</subject><subject>Threat evaluation</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2022</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kE1PwkAQhjdGExH9AcZLE8_Fnf1qe1QUJWn0AJ43y3YWiritu0Xjv5cK4TSTN887kzyEXAMdAdDibj6dzEaMMjbiDEAJcUIGIKVKFWVwetyBn5OLGNeUCgEqH5DZI3Zou9ovE-OrZOo7DG3A_2C8Mn6JMal9MrPG-z57wJX5rpvQh6UJS0xesftpwkcyxw1G27QYL8mZM5uIV4c5JO-Tp_n4JS3fnqfj-zK1nKsuldzRSlFpuawwl9Ys5EJSBULQynGVK7QMhVtYUJwZh5VEUBXLjFOZYbzgQ3K7v9uG5muLsdPrZhv87qVmGRMZZ1LmOwr2lA1NjAGdbkP9acKvBqp7d7p3p3t3-uBu17nZd2pEPPJFQXOZM_4Hdphqmg</recordid><startdate>2022</startdate><enddate>2022</enddate><creator>Kallitsis, Michalis</creator><creator>Prajapati, Rupesh</creator><creator>Honavar, Vasant</creator><creator>Wu, Dinghao</creator><creator>Yen, John</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0001-5399-3489</orcidid><orcidid>https://orcid.org/0000-0001-8086-499X</orcidid></search><sort><creationdate>2022</creationdate><title>Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes</title><author>Kallitsis, Michalis ; Prajapati, Rupesh ; Honavar, Vasant ; Wu, Dinghao ; Yen, John</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c336t-53f0d605c35de85cab5b5061440df3686ec2e4fbc1632afed5e16d27af67a2393</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2022</creationdate><topic>anomaly detection</topic><topic>autoencoders</topic><topic>Backscattering</topic><topic>Behavior</topic><topic>Behavioral sciences</topic><topic>Botnet</topic><topic>Clustering</topic><topic>Cybersecurity</topic><topic>deep learning</topic><topic>Denial of service attacks</topic><topic>Evolution</topic><topic>Feature extraction</topic><topic>Intelligence gathering</topic><topic>Internet</topic><topic>Internet-wide measurements</topic><topic>Learning</topic><topic>Malware</topic><topic>Mass transport</topic><topic>Network telescope</topic><topic>Representations</topic><topic>Scanners</topic><topic>Scanning</topic><topic>Security</topic><topic>Task analysis</topic><topic>Telescopes</topic><topic>Threat evaluation</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Kallitsis, Michalis</creatorcontrib><creatorcontrib>Prajapati, Rupesh</creatorcontrib><creatorcontrib>Honavar, Vasant</creatorcontrib><creatorcontrib>Wu, Dinghao</creatorcontrib><creatorcontrib>Yen, John</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Mechanical & Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Kallitsis, Michalis</au><au>Prajapati, Rupesh</au><au>Honavar, Vasant</au><au>Wu, Dinghao</au><au>Yen, John</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2022</date><risdate>2022</risdate><volume>17</volume><spage>1</spage><epage>1</epage><pages>1-1</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract>Network telescopes or "Darknets" received unsolicited Internet-wide traffic, thus providing a unique window into macroscopic Internet activities associated with malware propagation, denial of service attacks, network reconnaissance, misconfigurations and network outages. Analysis of the resulting data can provide actionable insights to security analysts that can be used to prevent or mitigate cyber-threats. Large network telescopes, however, observe millions of nefarious scanning activities on a daily basis which makes the transformation of the captured information into meaningful threat intelligence challenging. To address this challenge, we present a novel framework for characterizing the structure and temporal evolution of scanning behaviors observed in network telescopes. The proposed framework includes four components. It (i) extracts a rich, high-dimensional representation of scanning profiles composed of features distilled from network telescope data; (ii) learns, in an unsupervised fashion, information-preserving succinct representations of these scanning behaviors using deep representation learning that is amenable to clustering; (iii) performs clustering of the scanner profiles in the resulting latent representation space on daily Darknet data, and (iv) detects temporal changes in scanning behavior using techniques from optimal mass transport . We robustly evaluate the proposed system using both synthetic data and real-world Darknet data. We demonstrate its ability to detect real-world, high-impact cybersecurity incidents such as the onset of the Mirai botnet in late 2016 and several interesting cluster formations in early 2022 (e.g., heavy scanners, evolved Mirai variants, Darknet "backscatter" activities, etc.). Comparisons with state-of-the-art methods showcase that the integration of the proposed features with the deep representation learning scheme leads to better classification performance of Darknet scanners.</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TIFS.2022.3211644</doi><tpages>1</tpages><orcidid>https://orcid.org/0000-0001-5399-3489</orcidid><orcidid>https://orcid.org/0000-0001-8086-499X</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 1556-6013
ispartof	IEEE transactions on information forensics and security, 2022, Vol.17, p.1-1
issn	1556-6013 1556-6021
language	eng
recordid	cdi_proquest_journals_2724732558
source	IEEE Electronic Library (IEL)
subjects	anomaly detection autoencoders Backscattering Behavior Behavioral sciences Botnet Clustering Cybersecurity deep learning Denial of service attacks Evolution Feature extraction Intelligence gathering Internet Internet-wide measurements Learning Malware Mass transport Network telescope Representations Scanners Scanning Security Task analysis Telescopes Threat evaluation
title	Detecting and Interpreting Changes in Scanning Behavior in Large Network Telescopes
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-21T11%3A30%3A03IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Detecting%20and%20Interpreting%20Changes%20in%20Scanning%20Behavior%20in%20Large%20Network%20Telescopes&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Kallitsis,%20Michalis&rft.date=2022&rft.volume=17&rft.spage=1&rft.epage=1&rft.pages=1-1&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2022.3211644&rft_dat=%3Cproquest_RIE%3E2724732558%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=2724732558&rft_id=info:pmid/&rft_ieee_id=9908582&rfr_iscdi=true