Open AccessA Darknet Traffic Analysis for IoT Malwares Using Association Rule Learning
Author(s) -
Naoki Hashimoto,
Seiichi Ozawa,
Tao Ban,
Junji Nakazato,
Jumpei Shimamura
Publication year - 2018
Publication title -
procedia computer science
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.334
H-Index - 76
ISSN - 1877-0509
DOI - 10.1016/j.procs.2018.10.511
Subject(s) - computer science , network packet , malware , window (computing) , source code , computer network , association rule learning , focus (optics) , code (set theory) , sliding window protocol , set (abstract data type) , data mining , computer security , operating system , programming language , physics , optics
In this paper, we report an interesting observation of the darknet traffic before the source code of IoT malware Mirai was first opened on September 7th 2016. In our darknet analysis, the frequent pattern mining and the association rule learning were performed to a large set of TCP SYN packets collected from July 1st 2016 to September 15th 2016 with the NICT/16 darknet sensor. The number of collected packets is 1,840,973,403 packets in total which were sent from 17,928,006 unique hosts. In this study, we focus on the frequently appeared combinations of “window sizes” in TCP headers. We successfully extracted a certain number of frequent patters and association rules on window sizes, and we specified source hosts that sent out SYN packets matched with either of the extracted rules. In addition, we show that almost all such hosts sent SYN packets satisfying the three conditions known from the source code of Mirai. Such hosts started their scan activities from August 2nd 2016, and ended on September 4th 2016 (i.e., 3 days before the source code was opened).
Accelerating Research
Robert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom
Address
John Eccles HouseRobert Robinson Avenue,
Oxford Science Park, Oxford
OX4 4GP, United Kingdom