Darknet monitoring on real-operated networks

Seiichiro Mizoguchi, Yoshiro Fukushima, Yoshiaki Kasahara, Yoshiaki Hori, Kouichi Sakurai

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Darknet monitoring is an effective method to analyze malicious activities on networks including the Internet. Since there is no legitimate host on darknets, traffic sent to such a space is considered to be malicious. There are two major issues for darknet monitoring: how to prepare unused address space and how to configure network sensors deployed on the network. Preparation of monitoring addresses is difficult, and it have not been obvious yet what an appropriate configuration is. To solve the first issue, we proposed a method for network monitoring by exploiting unused IP addresses on segments managed by DHCP server, where is a real-operated network. By assigning these addresses, we can easily obtain IP addresses for monitoring and enable network monitoring on production network. Furthermore, we conducted real darknet monitoring experiments and clarified what kind of information could be obtained. We deployed several types of sensors on real-operated network and captured darknet traffic. After analyzing the traffic, we compared the data between each sensor. We found that there were dramatic differences between the data collected by each sensor and our proposed method was useful for real network monitoring.

Original languageEnglish
Title of host publicationProceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010
Pages278-285
Number of pages8
DOIs
Publication statusPublished - 2010
Event5th International Conference on Broadband Wireless Computing, Communication and Applications, BWCCA 2010 - Fukuoka, Japan
Duration: Nov 4 2010Nov 6 2010

Other

Other5th International Conference on Broadband Wireless Computing, Communication and Applications, BWCCA 2010
CountryJapan
CityFukuoka
Period11/4/1011/6/10

Fingerprint

Monitoring
Sensors
Sensor networks
Servers
Internet
Experiments

All Science Journal Classification (ASJC) codes

  • Computer Networks and Communications
  • Computer Science Applications

Cite this

Mizoguchi, S., Fukushima, Y., Kasahara, Y., Hori, Y., & Sakurai, K. (2010). Darknet monitoring on real-operated networks. In Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010 (pp. 278-285). [5633172] https://doi.org/10.1109/BWCCA.2010.82

Darknet monitoring on real-operated networks. / Mizoguchi, Seiichiro; Fukushima, Yoshiro; Kasahara, Yoshiaki; Hori, Yoshiaki; Sakurai, Kouichi.

Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010. 2010. p. 278-285 5633172.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Mizoguchi, S, Fukushima, Y, Kasahara, Y, Hori, Y & Sakurai, K 2010, Darknet monitoring on real-operated networks. in Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010., 5633172, pp. 278-285, 5th International Conference on Broadband Wireless Computing, Communication and Applications, BWCCA 2010, Fukuoka, Japan, 11/4/10. https://doi.org/10.1109/BWCCA.2010.82
Mizoguchi S, Fukushima Y, Kasahara Y, Hori Y, Sakurai K. Darknet monitoring on real-operated networks. In Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010. 2010. p. 278-285. 5633172 https://doi.org/10.1109/BWCCA.2010.82
Mizoguchi, Seiichiro ; Fukushima, Yoshiro ; Kasahara, Yoshiaki ; Hori, Yoshiaki ; Sakurai, Kouichi. / Darknet monitoring on real-operated networks. Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010. 2010. pp. 278-285
@inproceedings{d5ffa170cd03423ab3d4419f9dfc51f0,
title = "Darknet monitoring on real-operated networks",
abstract = "Darknet monitoring is an effective method to analyze malicious activities on networks including the Internet. Since there is no legitimate host on darknets, traffic sent to such a space is considered to be malicious. There are two major issues for darknet monitoring: how to prepare unused address space and how to configure network sensors deployed on the network. Preparation of monitoring addresses is difficult, and it have not been obvious yet what an appropriate configuration is. To solve the first issue, we proposed a method for network monitoring by exploiting unused IP addresses on segments managed by DHCP server, where is a real-operated network. By assigning these addresses, we can easily obtain IP addresses for monitoring and enable network monitoring on production network. Furthermore, we conducted real darknet monitoring experiments and clarified what kind of information could be obtained. We deployed several types of sensors on real-operated network and captured darknet traffic. After analyzing the traffic, we compared the data between each sensor. We found that there were dramatic differences between the data collected by each sensor and our proposed method was useful for real network monitoring.",
author = "Seiichiro Mizoguchi and Yoshiro Fukushima and Yoshiaki Kasahara and Yoshiaki Hori and Kouichi Sakurai",
year = "2010",
doi = "10.1109/BWCCA.2010.82",
language = "English",
isbn = "9780769542362",
pages = "278--285",
booktitle = "Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010",

}

TY - GEN

T1 - Darknet monitoring on real-operated networks

AU - Mizoguchi, Seiichiro

AU - Fukushima, Yoshiro

AU - Kasahara, Yoshiaki

AU - Hori, Yoshiaki

AU - Sakurai, Kouichi

PY - 2010

Y1 - 2010

N2 - Darknet monitoring is an effective method to analyze malicious activities on networks including the Internet. Since there is no legitimate host on darknets, traffic sent to such a space is considered to be malicious. There are two major issues for darknet monitoring: how to prepare unused address space and how to configure network sensors deployed on the network. Preparation of monitoring addresses is difficult, and it have not been obvious yet what an appropriate configuration is. To solve the first issue, we proposed a method for network monitoring by exploiting unused IP addresses on segments managed by DHCP server, where is a real-operated network. By assigning these addresses, we can easily obtain IP addresses for monitoring and enable network monitoring on production network. Furthermore, we conducted real darknet monitoring experiments and clarified what kind of information could be obtained. We deployed several types of sensors on real-operated network and captured darknet traffic. After analyzing the traffic, we compared the data between each sensor. We found that there were dramatic differences between the data collected by each sensor and our proposed method was useful for real network monitoring.

AB - Darknet monitoring is an effective method to analyze malicious activities on networks including the Internet. Since there is no legitimate host on darknets, traffic sent to such a space is considered to be malicious. There are two major issues for darknet monitoring: how to prepare unused address space and how to configure network sensors deployed on the network. Preparation of monitoring addresses is difficult, and it have not been obvious yet what an appropriate configuration is. To solve the first issue, we proposed a method for network monitoring by exploiting unused IP addresses on segments managed by DHCP server, where is a real-operated network. By assigning these addresses, we can easily obtain IP addresses for monitoring and enable network monitoring on production network. Furthermore, we conducted real darknet monitoring experiments and clarified what kind of information could be obtained. We deployed several types of sensors on real-operated network and captured darknet traffic. After analyzing the traffic, we compared the data between each sensor. We found that there were dramatic differences between the data collected by each sensor and our proposed method was useful for real network monitoring.

UR - http://www.scopus.com/inward/record.url?scp=79952089129&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79952089129&partnerID=8YFLogxK

U2 - 10.1109/BWCCA.2010.82

DO - 10.1109/BWCCA.2010.82

M3 - Conference contribution

AN - SCOPUS:79952089129

SN - 9780769542362

SP - 278

EP - 285

BT - Proceedings - 2010 International Conference on Broadband, Wireless Computing Communication and Applications, BWCCA 2010

ER -