Abstract
Recently, we have a problem about an attack generated by a botnet which consists of a group of compromised computers called bots. An attacker called botmaster controls it and a botnet invokes an attack such as scanning and DDoS attack. In this paper, we use the 3D-visualization to investigate the change of attack according to the darknet traffic. As a result, we discover the attack in which several source IP addresses transmit packets to a single destination within a short period of time. In addition, we find that the packet size and the destination port number are identical on its attack. Furthermore, we propose the method to detect this attack called behavior of collaborative attack. In our proposal, we focus on the number of source IP addresses which transmit packets to the single destination. We detected this packet and the rate of packet with the same packet size and destination port number occupied about 90% of the set unit of extracted packet.
This work was partially supported by Proactive Response Against Cyber-attacks Through International Collaborative Exchange (PRACTICE), Ministry of Internal Affairs and Communications, Japan.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., Karir, M.: A Survey of Botnet Technology and Defenses. In: Proc. Cybersecurity Applications & Technology Conference for Homeland Security, Washington, DC, USA, pp. 299–304 (March 2009)
Mcafee Co., http://www.mcafee.com
Symantec Co., http://www.symantec.com
Guirguis, M., Bestavros, A., Matta, I.: On the Impact of Low-Rate Attacks. In: IEEE International Conference and Communications, vol. 5, pp. 2316–2321 (June 2006)
Treurniet, J.: A Network Activity Classification Schema and Its Application to Scan Detection. IEEE/ACM Transactions on Networking 19(5), 1396–1404 (2011)
**ang, Y., Li, K., Zhou, W.: Low-Rate DDoS Attacks Detection and Traceback by Using New Information Metrics. IEEE Transactions on Information Forensics and Security 6(2), 426–437 (2011)
Kim, M.-S., Kang, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.W.: A Flow-based Method for Abnormal Network Traffic Detection. In: IEEE/IFIP Network Operations and Management Symposium 2004 (2004)
Eto, M., Inoue, D., Song, J., Nakazato, J., Ohtaka, K., Nakao, K.: Nicter: A Large-Scale Network Incident Analysis System. In: Proc. First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security, pp. 37–45 (2011)
Kanlayasiri, U., Sanguanpong, S., Jaratmanachot, W.: A Rule-based Approach for Port Scanning Detection. In: Proc. 23rd Electrical Engineering Conference, Thailand, pp. 148–153 (2000)
Needham, R.M.: Denial of Service. In: Proc. 1st ACM Conference on Computer and Communications Security, Fairfax, Virginia, pp. 151–153 (November 1993)
Moore, D., Shannon, C., Brown, D., Voelker, G.M., Savage, S.: Inferring Internet Denial-of-Service Activity. ACM Transactions on Computer Systems 24(2), 115–139 (2006)
Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward Understanding Distributed Blackhole Placement. In: Proc. ACM CCS Workshop on Rapid Malcode, pp. 54–64. ACM Press (October 2004)
Feily, M., Shahrestani, A.: A Survey of Botnet and Botnet Detection. In: Proc. Third International Conference on Emerging Security Information, Systems and Technologies (June 2009)
Choi, H., Lee, H., Lee, H., Kim, H.: Botnet Detection by Monitoring Group Activities in DNS Traffic. In: Proc. 7th IEEE International Conference on Computer and Information Technology, pp. 715–720 (2007)
Rajab, M.A., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. 6th ACM SIGCOMM Conference on Internet Measurement, pp. 41–42 (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Akimoto, S., Hori, Y., Sakurai, K. (2012). Collaborative Behavior Visualization and Its Detection by Observing Darknet Traffic. In: **ang, Y., Lopez, J., Kuo, CC.J., Zhou, W. (eds) Cyberspace Safety and Security. CSS 2012. Lecture Notes in Computer Science, vol 7672. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35362-8_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-35362-8_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35361-1
Online ISBN: 978-3-642-35362-8
eBook Packages: Computer ScienceComputer Science (R0)