Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis

Laurent Evrard, Jérôme François, Jean-Noël Colin

Résultats de recherche: Contribution dans un livre/un catalogue/un rapport/dans les actes d'une conférenceArticle dans les actes d'une conférence/un colloque


Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.

langue originaleAnglais
titre2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
Nombre de pages9
ISBN (Electronique)9783903176157
Etat de la publicationPublié - 16 mai 2019
EvénementIFIP/IEEE International Symposium on Integrated Network Management -
Durée: 8 avr. 201912 avr. 2019

Une conférence

Une conférenceIFIP/IEEE International Symposium on Integrated Network Management
Titre abrégéIM

Empreinte digitale

Examiner les sujets de recherche de « Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis ». Ensemble, ils forment une empreinte digitale unique.

Contient cette citation