DANTE: A framework for mining and monitoring darknet traffic

by   Dvir Cohen, et al.

Trillions of network packets are sent over the Internet to destinations which do not exist. This 'darknet' traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In order to mine threat intelligence from this data, one must be able to handle large streams of logs and represent the traffic patterns in a meaningful way. However, by observing how network ports (services) are used, it is possible to capture the intent of each transmission. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. Then, when a host sends a new sequence, DANTE represents the transmission as the average embedding of the ports found that sequence. Finally, DANTE uses a novel and incremental time-series cluster tracking algorithm on observed sequences to detect recurring behaviors and new emerging threats. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time. We also compared DANTE to the current best approach and found DANTE to be more practical and effective at detecting darknet traffic patterns.


page 2

page 4

page 7


Decrypting SSL/TLS traffic for hidden threats detection

The paper presents an analysis of the main mechanisms of decryption of S...

MORTON: Detection of Malicious Routines in Large-Scale DNS Traffic

In this paper, we present MORTON, a system that identifies compromised e...

Improving Scalability of Contrast Pattern Mining for Network Traffic Using Closed Patterns

Contrast pattern mining (CPM) aims to discover patterns whose support in...

Behavioural Correlation for Detecting P2P Bots

In the past few years, IRC bots, malicious programs which are remotely c...

Collaborative adversary nodes learning on the logs of IoT devices in an IoT network

Artificial Intelligence (AI) development has encouraged many new researc...

An Extensive Study of Residential Proxies in China

We carry out the first in-depth characterization of residential proxies ...

Catching Unusual Traffic Behavior using TF-IDF-based Port Access Statistics Analysis

Detecting the anomalous behavior of traffic is one of the important acti...

Please sign up or login with your details

Forgot password? Click here to reset