Virtual Dark IP for Internet Threat Detection
This paper proposes a new method for detecting an Internet threat by utilizing virtual dark IP space. Dark IP means an IP address space which are not used for connecting machines to the Internet. There are incoming IP packets for a dark IP space although it is not allocated to a host nor registered at a DNS. It is interesting to analyze the incoming packets because they are mostly related to malicious activities.There have been several Internet threat detection systems, such as WCLSCAN and ISDAS. They involve using sensor machines to capture IP packets. The sensors have IP addresses offering no service nor responses to an outside network, I.e., a dark IP. This paper proposes Virtual Dark IP instead of actual sensor machines. Our method analyzes network flow to detect anomaly packets having unused IP addresses as their destinations. Netflow data is collected from backbone routers. This paper describes the detecting algorithm. Then, it shows the results of experiments comparing our system with other existing systems.
Net Flow Threat Detection Sensor Dark IP
Akihiro Shimoda Shigeki Goto
Waseda University 3-4-1 Okubo Shinjuku-ku Tokyo, JAPAN
国际会议
APAN Network Research Workshop 2007(第24届亚太高速网络会议)
西安
英文
17-23
2007-08-27(万方平台首次上网日期,不代表论文的发表时间)