Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis - Archive ouverte HAL Access content directly
Conference Papers Year :

Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis

(1) , (2) , (1)
1
2

Abstract

Network traffic monitoring is primordial for network operations and management for many purposes such as Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows...) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port number...). Many attributes can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based network port similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a Darknet or telescope, aggregated in a graph model, from which a semantic dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.
Fichier principal
Vignette du fichier
semPorts.pdf (1.42 Mo) Télécharger le fichier
Origin : Files produced by the author(s)
Loading...

Dates and versions

hal-02345457 , version 1 (04-11-2019)

Identifiers

  • HAL Id : hal-02345457 , version 1

Cite

Laurent Evrard, Jérôme François, Jean-Noël Colin. Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis. IM 2019 - The 16th IFIP/IEEE Symposium on Integrated Network and Service Management, Apr 2019, Washington DC, United States. ⟨hal-02345457⟩
96 View
182 Download

Share

Gmail Facebook Twitter LinkedIn More