UnitecDEAMP: Flow feature profiling for malicious events identification in darknet space

Abstract

This paper proposes a traffic decomposition approach called UnitecDEAMP based on flow feature profiling to distinct groups of significant malicious events from background noise in massive historical darknet traffic. Specifically, we segment and extract traffic flows from captured darknet data, categorize the flows according to sets of criteria derived from our traffic behavior assessments. Those criteria will be validated through the followed correlation analysis to guarantee that any redundant criteria be eliminated. Significant events are appraised by combined criteria filtering, including significance regarding volume, significance in terms of time series occurrence and significance regarding variation. To demonstrate the effectiveness of our UnitecDEAMP, real world darknet traffic data sets with twelve months are used for conducting our empirical study. The experimental results show that UnitecDEAMP can effectively select the most significant malicious events.