Countermeasures against darknet localisation attacks with packet sampling

<p>The darknet monitoring system consists of network sensors widely deployed on the Internet to capture incoming unsolicited packets. A goal of this system is to analyse captured malicious packets and provide effective information to protect regular nonmalicious Internet users from malicious activities. To provide effective and reliable information, the location of sensors must be concealed. However, attackers launch localisation attacks to detect sensors in order to evade them. If the actual location of sensors is revealed, it is almost impossible to identify the latest tactics used by attackers. Thus, in a previous study, we proposed a packet sampling method, which samples incoming packets based on an attribute of the packet sender, to increase tolerance to a localisation attack and maintain the quality of information publicised by the system. We were successful in countering localisation attacks, which generate spikes on the publicised graph to detect a sensor. However, in some cases, with the previously proposed sampling method, spikes were clearly evident on the graph. Therefore, in this paper, we propose advanced sampling methods such that incoming packets are sampled based on multiple attributes of the packet sender. We present our improved methods and show promising evaluation results obtained via a simulation.</p>

Estimating Network Flow Length Distributions via Bayesian Nonnegative Tensor Factorization

In this paper, we develop a framework to estimate network flow length distributions in terms of the number of packets. We model the network flow length data as a three-way array with day-of-week, hour-of-day, and flow length as entities where we observe a count. In a high-speed network, only a sampled version of such an array can be observed and reconstructing the true flow statistics from fewer observations becomes a computational problem. We formulate the sampling process as matrix multiplication so that any sampling method can be used in our framework as long as its sampling probabilities are written in matrix form. We demonstrate our framework on a high-volume real-world data set collected from a mobile network provider with a random packet sampling and a flow-based packet sampling methods. We show that modeling the network data as a tensor improves estimations of the true flow length histogram in both sampling methods.