Trillions of network packets are sent over the Internet to destinations which do not exist. This ‘darknet’ traffic captures the activity of botnets and other malicious campaigns aiming to discover and compromise devices around the world. In this paper, we present DANTE: a framework and algorithm for mining darknet traffic. DANTE learns the meaning of targeted network ports by applying Word2Vec to observed port sequences. To detect recurring behaviors and new emerging threats, DANTE uses a novel and incremental time-series cluster tracking algorithm on the observed sequences. To evaluate the system, we ran DANTE on a full year of darknet traffic (over three Tera-Bytes) collected by the largest telecommunications provider in Europe, Deutsche Telekom and analyzed the results. DANTE discovered 1,177 new emerging threats and was able to track malicious campaigns over time.
CITATION STYLE
Cohen, D., Mirsky, Y., Kamp, M., Martin, T., Elovici, Y., Puzis, R., & Shabtai, A. (2020). Dante: A framework for mining and monitoring darknet traffic. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 12308 LNCS, pp. 88–109). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-030-58951-6_5
Mendeley helps you to discover research relevant for your work.