2011 Volume 28 Issue 2 Pages 2_129-2_139
In this paper, we show the possibility of predicting the anomalous packets' behaviors to the near active addresses from small observation address space (Darknet) in Internet. We have proposed the distributed cooperative monitoring architecture (DCMA) which probes the anomalous packets that arrive at the distributed unused address segments and detects and defenses anomalous packets' behaviors to the near active addresses. To realize DCMA, it is necessary to investigate the time-series correlation between anomalous packets arriving at small observation address segments and those of near addresses. Thus, we calculated the correlation strength of anomalous packets that scan address segments from the pairs of the sub-observation address segments divided from the Darknet addresses. Furthermore, we observed the correlation strength when changing the sub-observation's size and investigated the size dependency of the correlation strength. As a result, we could indicate the possibility of predicting the anomalous packets' behaviors to the near address segments from small sub-observation addresses. We could also find that the base observation fixed to the specific sub-observation space contributes to the strong correlation coefficient. Therefore, these results imply that DCMA can predict the anomalous packets' behaviors to the near addresses using small observation space.
