Back to Search Start Over

Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

Authors :
Mehdi Zakroum
Jerome Francois
Isabelle Chrisment
Mounir Ghogho
Resilience and Elasticity for Security and ScalabiliTy of dynamic networked systems (RESIST)
Inria Nancy - Grand Est
Institut National de Recherche en Informatique et en Automatique (Inria)-Institut National de Recherche en Informatique et en Automatique (Inria)-Department of Networks, Systems and Services (LORIA - NSS)
Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA)
Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Laboratoire Lorrain de Recherche en Informatique et ses Applications (LORIA)
Institut National de Recherche en Informatique et en Automatique (Inria)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)-Université de Lorraine (UL)-Centre National de la Recherche Scientifique (CNRS)
Université Internationale de Rabat (UIR)
Source :
IEEE Transactions on Network and Service Management, IEEE Transactions on Network and Service Management, 2022, pp.1-1. ⟨10.1109/TNSM.2022.3183497⟩
Publication Year :
2022
Publisher :
HAL CCSD, 2022.

Abstract

International audience; Network reconnaissance is the first step precedinga cyber-attack. Hence, monitoring the probing activities is im-perative to help security practitioners enhancing their awarenessabout Internet’s large-scale events or peculiar events targetingtheir network. In this paper, we present a framework foran improved and efficient monitoring of the probing activi-ties targeting network telescopes. Particularly, we model theprobing rates which are a good indicator for measuring thecyber-security risk targeting network services. The approachconsists of first inferring groups of network ports sharing similarprobing characteristics through a new affinity metric capturingboth temporal and semantic similarities between ports. Then,sequences of probing rates targeting similar ports are used asinputs to stacked Long Short-Term Memory (LSTM) neuralnetworks to predict probing rates 1 hour and 1 day in advance.Finally, we describe two monitoring indicators that use theprediction models to infer anomalous probing traffic and toraise early threat warnings. We show that LSTM networkscan accurately predict probing rates, outperforming the non-stationary autoregressive model, and we demonstrate that themonitoring indicators are efficient in assessing the cyber-securityrisk related to vulnerability disclosure

Details

Language :
English
ISSN :
19324537
Database :
OpenAIRE
Journal :
IEEE Transactions on Network and Service Management, IEEE Transactions on Network and Service Management, 2022, pp.1-1. ⟨10.1109/TNSM.2022.3183497⟩
Accession number :
edsair.doi.dedup.....ca895e829a5100db29db99b6ed259494