ダークネットトラフィックにおけるスキャン活動検出のための送信元ホストの特徴に基づく分類

抄録

Darknet traffic volume is increasing year by year. And, it is hard to detect the malicious activities from many network traffic. Therefore, we try to classify based on the characteristics of the source hosts. We extracted each parameter from the packet headers and aggregated per source host for clustering. Output clusters include source hosts with the same features. We verified the clustered the traffic for TCP/4786 collected on our university’s darknet traffic. As a result, we succeeded in classifying the distributed scan activity for each organization.