Visibility of Scan Traffic Trends in Sparsely Populated Darknets

The darknet is one of the main sources for obtaining knowledge of cyber-attacks. Maintaining a large-scale darknet may become difficult in the future due to the high demand for IPv4 addresses and the exhaustion of IPv4 address pool. In the case of reducing the size of the darknet for assigning more IPv4 addresses to users, it is necessary to understand how the reduction in address size will affect the visibility of the darknet, which refers to the degree of attack trends that can be understood. Darknet visibility is discussed from various perspectives, but this research focuses on visibility related to detecting signs of an attack on a specific port, especially the accuracy of change point detection based on time-series data representing the number of packet transitions on each port. We propose Sparsely Populated Darknets consisting of small address blocks as a way to reduce the size of the existing darknet, and report on the usefulness of this type of darknet. We compare Sparsely Populated Darknets with contiguous address darknet that consists of the same number of contiguous IP addresses as Sparsely Populated Darknets. Sparsely Populated Darknets showed higher visibility than contiguous address darknet in terms of trend changes in the number of TCP SYN packets on each major ports. Based on this, this paper reports the possibility of effectively utilizing a small number of IP addresses that are not assigned by an organization as Sparsely Populated Darknets.