A malware collection and analysis framework based on darknet traffic

Abstract

Since a darknet is a set of unused IP addresses(i.e., no real hosts are operated with them), we are unable to observe the network traffic on it generally. In many cases, however, attackers or infected hosts by some malwares send their attack codes to the target systems or networks at random. Because of this, the darknet gives us the good opportunity to monitor malicious activities that are happening on the Internet. By analyzing the darknet traffic, it is able to get an insight into recent attack trends, but there is a fatal limitation that most of the darknet traffic have no payload data. This means that we cannot collect the real attack codes from the original darknet traffic. In this paper, we propose a malware collection and analysis framework based on the darknet traffic. With the proposed framework, it is able to get real attack codes in the wild and to respond against potential cyber attacks using them. Our experimental results on the real network environments show the effectiveness of the proposed framework. © 2012 Springer-Verlag.