Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis

Laurent Evrard, Jérôme François, Jean-Noël Colin

Résultats de recherche: Contribution dans un livre/un catalogue/un rapport/dans les actes d'une conférenceArticle dans les actes d'une conférence/un colloque

Résumé

Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.

langue originaleAnglais
titre2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019
EditeurIEEE
Pages89-97
Nombre de pages9
ISBN (Electronique)9783903176157
étatPublié - 16 mai 2019
EvénementIFIP/IEEE International Symposium on Integrated Network Management -
Durée: 8 avr. 201912 avr. 2019

Une conférence

Une conférenceIFIP/IEEE International Symposium on Integrated Network Management
Titre abrégéIM
période8/04/1912/04/19

Empreinte digitale

Semantics
Monitoring
Telescopes
Quality of service

Citer ceci

Evrard, L., François, J., & Colin, J-N. (2019). Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis. Dans 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 (p. 89-97). [8717917] IEEE.
Evrard, Laurent ; François, Jérôme ; Colin, Jean-Noël. / Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis. 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. IEEE, 2019. p. 89-97
@inproceedings{4626801a58924699819a20625ac85706,
title = "Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis",
abstract = "Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99{\%} of TCP scans.",
author = "Laurent Evrard and J{\'e}r{\^o}me Fran{\cc}ois and Jean-No{\"e}l Colin",
year = "2019",
month = "5",
day = "16",
language = "English",
pages = "89--97",
booktitle = "2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019",
publisher = "IEEE",

}

Evrard, L, François, J & Colin, J-N 2019, Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis. Dans 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019., 8717917, IEEE, p. 89-97, IFIP/IEEE International Symposium on Integrated Network Management, 8/04/19.

Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis. / Evrard, Laurent; François, Jérôme; Colin, Jean-Noël.

2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. IEEE, 2019. p. 89-97 8717917.

Résultats de recherche: Contribution dans un livre/un catalogue/un rapport/dans les actes d'une conférenceArticle dans les actes d'une conférence/un colloque

TY - GEN

T1 - Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis

AU - Evrard, Laurent

AU - François, Jérôme

AU - Colin, Jean-Noël

PY - 2019/5/16

Y1 - 2019/5/16

N2 - Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.

AB - Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.

UR - http://www.scopus.com/inward/record.url?scp=85066995556&partnerID=8YFLogxK

M3 - Conference contribution

SP - 89

EP - 97

BT - 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019

PB - IEEE

ER -

Evrard L, François J, Colin J-N. Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis. Dans 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019. IEEE. 2019. p. 89-97. 8717917