i-DarkVec: Incremental Embeddings for Darknet Traffic Analysis

IF 3.9 3区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS ACM Transactions on Internet Technology Pub Date : 2023-05-03 DOI:https://dl.acm.org/doi/10.1145/3595378
Luca Gioacchini, Luca Vassio, Marco Mellia, Idilio Drago, Zied Ben Houidi
{"title":"i-DarkVec: Incremental Embeddings for Darknet Traffic Analysis","authors":"Luca Gioacchini, Luca Vassio, Marco Mellia, Idilio Drago, Zied Ben Houidi","doi":"https://dl.acm.org/doi/10.1145/3595378","DOIUrl":null,"url":null,"abstract":"<p>Darknets are probes listening to traffic reaching IP addresses that host no services. Traffic reaching a darknet results from the actions of internet scanners, botnets and possibly misconfigured hosts. Such peculiar nature of the darknet traffic makes darknets a valuable instrument to discover malicious online activities, e.g., identifying coordinated actions performed by bots or scanners. However, the massive amount of packets and sources that darknets observe makes it hard to extract meaningful insights, calling for scalable tools to automatically identify and group sources that share similar behaviour. </p><p>We here present i-DarkVec, a methodology to learn meaningful representations of Darknet traffic. i-DarkVec leverages Natural Language Processing techniques (e.g., Word2Vec) to capture the co-occurrence patterns that emerge when scanners or bots launch coordinated actions. As in NLP problems, the embeddings learned with i-DarkVec enable several new machine learning tasks on the darknet traffic, such as identifying clusters of senders engaged in similar activities. </p><p>We extensively test i-DarkVec and explore its design space in a case study using real darknets. We show that with a proper definition of <i>services</i>, the learned embeddings can be used to (i) solve the classification problem to associate unknown sources’ IP addresses to the correct classes of coordinated actors, and (ii) automatically identify clusters of previously unknown sources performing similar attacks and scans, easing the security analyst’s job. i-DarkVec leverages a novel incremental embedding learning approach that is scalable and robust to traffic changes, making it applicable to dynamic and large-scale scenarios.</p>","PeriodicalId":50911,"journal":{"name":"ACM Transactions on Internet Technology","volume":"115 1","pages":""},"PeriodicalIF":3.9000,"publicationDate":"2023-05-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"ACM Transactions on Internet Technology","FirstCategoryId":"94","ListUrlMain":"https://doi.org/https://dl.acm.org/doi/10.1145/3595378","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Darknets are probes listening to traffic reaching IP addresses that host no services. Traffic reaching a darknet results from the actions of internet scanners, botnets and possibly misconfigured hosts. Such peculiar nature of the darknet traffic makes darknets a valuable instrument to discover malicious online activities, e.g., identifying coordinated actions performed by bots or scanners. However, the massive amount of packets and sources that darknets observe makes it hard to extract meaningful insights, calling for scalable tools to automatically identify and group sources that share similar behaviour.

We here present i-DarkVec, a methodology to learn meaningful representations of Darknet traffic. i-DarkVec leverages Natural Language Processing techniques (e.g., Word2Vec) to capture the co-occurrence patterns that emerge when scanners or bots launch coordinated actions. As in NLP problems, the embeddings learned with i-DarkVec enable several new machine learning tasks on the darknet traffic, such as identifying clusters of senders engaged in similar activities.

We extensively test i-DarkVec and explore its design space in a case study using real darknets. We show that with a proper definition of services, the learned embeddings can be used to (i) solve the classification problem to associate unknown sources’ IP addresses to the correct classes of coordinated actors, and (ii) automatically identify clusters of previously unknown sources performing similar attacks and scans, easing the security analyst’s job. i-DarkVec leverages a novel incremental embedding learning approach that is scalable and robust to traffic changes, making it applicable to dynamic and large-scale scenarios.

查看原文
分享 分享
微信好友 朋友圈 QQ好友 复制链接
本刊更多论文
i-DarkVec:暗网流量分析的增量嵌入
暗网是侦听到达没有主机服务的IP地址的流量的探测器。流量到达暗网的结果是互联网扫描器,僵尸网络和可能配置错误的主机的行动。暗网流量的这种特殊性质使暗网成为发现恶意在线活动的宝贵工具,例如,识别由机器人或扫描仪执行的协调行动。然而,暗网观察到的大量数据包和源使得很难提取有意义的见解,这需要可扩展的工具来自动识别和分组共享相似行为的源。我们在这里提出i-DarkVec,一种学习暗网流量的有意义表示的方法。i-DarkVec利用自然语言处理技术(例如,Word2Vec)来捕捉扫描器或机器人启动协调动作时出现的共现模式。与NLP问题一样,使用i-DarkVec学习的嵌入在暗网流量上启用了几个新的机器学习任务,例如识别从事类似活动的发送者集群。我们广泛测试i-DarkVec和探索其设计空间在一个案例研究中使用真实的黑暗。我们表明,通过适当的服务定义,学习嵌入可以用于(i)解决分类问题,将未知源的IP地址与协调参与者的正确类别相关联,以及(ii)自动识别先前未知源的集群,执行类似的攻击和扫描,从而减轻安全分析师的工作。i-DarkVec利用了一种新颖的增量嵌入学习方法,该方法对流量变化具有可扩展性和鲁棒性,使其适用于动态和大规模的场景。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 去求助
来源期刊
ACM Transactions on Internet Technology
ACM Transactions on Internet Technology 工程技术-计算机:软件工程
CiteScore
10.30
自引率
1.90%
发文量
137
审稿时长
>12 weeks
期刊介绍: ACM Transactions on Internet Technology (TOIT) brings together many computing disciplines including computer software engineering, computer programming languages, middleware, database management, security, knowledge discovery and data mining, networking and distributed systems, communications, performance and scalability etc. TOIT will cover the results and roles of the individual disciplines and the relationshipsamong them.
期刊最新文献
Interpersonal Communication Interconnection in Media Convergence Metaverse Using Reinforcement Learning and Error Models for Drone Precision Landing Towards Human-AI Teaming to Mitigate Alert Fatigue in Security Operations Centres RESP: A Recursive Clustering Approach for Edge Server Placement in Mobile Edge Computing OTI-IoT: A Blockchain-based Operational Threat Intelligence Framework for Multi-vector DDoS Attacks
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
现在去查看 取消
×
提示
确定
0
微信
客服QQ
Book学术公众号 扫码关注我们
反馈
×
意见反馈
请填写您的意见或建议
请填写您的手机或邮箱
已复制链接
已复制链接
快去分享给好友吧!
我知道了
×
扫码分享
扫码分享
Book学术官方微信
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术
文献互助 智能选刊 最新文献 互助须知 联系我们:info@booksci.cn
Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。
Copyright © 2023 Book学术 All rights reserved.
ghs 京公网安备 11010802042870号 京ICP备2023020795号-1