Paper Info
Title
Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis
Abstract
Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.
Year
Venue
Keywords
2019
2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM)
application port numbers,network traffic monitoring,network operations,network traffic data,IP addresses,metric space,real-world network data,security monitoring,fine grained attacker behavior-based similarity metric,traffic analysis,telescope,graph model,TCP scans,Darknet analysis,quality-of-service
Field
DocType
ISSN
Byte,Port (computer networking),Traffic analysis,User Datagram Protocol,Darknet,Computer science,Network packet,Computer network,Network operations center,Metric space
Conference
1573-0077
ISBN
Citations 
PageRank 
978-1-7281-0618-2
0
0.34
References 
Authors
0
3
Name
Order
Citations
PageRank
Laurent Evrard100.68
Jérôme François217021.81
Jean-Noel Colin34512.32