Extended Darknet: Multi-Dimensional Internet Threat Monitoring System

Akihiro SHIMODA  Tatsuya MORI  Shigeki GOTO  

IEICE TRANSACTIONS on Communications   Vol.E95-B   No.6   pp.1915-1923
Publication Date: 2012/06/01
Online ISSN: 1745-1345
DOI: 10.1587/transcom.E95.B.1915
Print ISSN: 0916-8516
Type of Manuscript: Special Section PAPER (Special Section on Towards Management for Future Networks and Services)
darknet,  multi-dimensional monitoring,  Internet threat,  sensor,  

Full Text: PDF>>
Buy this Article

Internet threats caused by botnets/worms are one of the most important security issues to be addressed. Darknet, also called a dark IP address space, is one of the best solutions for monitoring anomalous packets sent by malicious software. However, since darknet is deployed only on an inactive IP address space, it is an inefficient way for monitoring a working network that has a considerable number of active IP addresses. The present paper addresses this problem. We propose a scalable, light-weight malicious packet monitoring system based on a multi-dimensional IP/port analysis. Our system significantly extends the monitoring scope of darknet. In order to extend the capacity of darknet, our approach leverages the active IP address space without affecting legitimate traffic. Multi-dimensional monitoring enables the monitoring of TCP ports with firewalls enabled on each of the IP addresses. We focus on delays of TCP syn/ack responses in the traffic. We locate syn/ack delayed packets and forward them to sensors or honeypots for further analysis. We also propose a policy-based flow classification and forwarding mechanism and develop a prototype of a monitoring system that implements our proposed architecture. We deploy our system on a campus network and perform several experiments for the evaluation of our system. We verify that our system can cover 89% of the IP addresses while darknet-based monitoring only covers 46%. On our campus network, our system monitors twice as many IP addresses as darknet.