Network telescopes or “Darknets” provide a unique window into Internet-wide
malicious activities associated with malware propagation, denial of service
attacks, scanning performed for network reconnaissance, and others. Analyses of
the resulting data can provide actionable insights to security analysts that
can be used to prevent or mitigate cyber-threats. Large Darknets, however,
observe millions of nefarious events on a daily basis which makes the
transformation of the captured information into meaningful insights
challenging. We present a novel framework for characterizing Darknet behavior
and its temporal evolution aiming to address this challenge. The proposed
framework: (i) Extracts a high dimensional representation of Darknet events
composed of features distilled from Darknet data and other external sources;
(ii) Learns, in an unsupervised fashion, an information-preserving
low-dimensional representation of these events (using deep representation
learning) that is amenable to clustering; (iv) Performs clustering of the
scanner data in the resulting representation space and provides interpretable
insights using optimal decision trees; and (v) Utilizes the clustering outcomes
as “signatures” that can be used to detect structural changes in the Darknet
activities. We evaluate the proposed system on a large operational Network
Telescope and demonstrate its ability to detect real-world, high-impact
cybersecurity incidents.

By admin