
Research Article
Visibility of Scan Traffic Trends in Sparsely Populated Darknets
@INPROCEEDINGS{10.1007/978-3-031-64954-7_12, author={Kodai Mizutani and Daisuke Kotani and Yasuo Okabe}, title={Visibility of Scan Traffic Trends in Sparsely Populated Darknets}, proceedings={Security and Privacy in Communication Networks. 19th EAI International Conference, SecureComm 2023, Hong Kong, China, October 19-21, 2023, Proceedings, Part II}, proceedings_a={SECURECOMM PART 2}, year={2024}, month={10}, keywords={Darknet Port scan IPv4 address Sparsely Populated Darknet}, doi={10.1007/978-3-031-64954-7_12} }
- Kodai Mizutani
Daisuke Kotani
Yasuo Okabe
Year: 2024
Visibility of Scan Traffic Trends in Sparsely Populated Darknets
SECURECOMM PART 2
Springer
DOI: 10.1007/978-3-031-64954-7_12
Abstract
The darknet is one of the main sources for obtaining knowledge of cyber-attacks. Maintaining a large-scale darknet may become difficult in the future due to the high demand for IPv4 addresses and the exhaustion of IPv4 address pool. In the case of reducing the size of the darknet for assigning more IPv4 addresses to users, it is necessary to understand how the reduction in address size will affect the visibility of the darknet, which refers to the degree of attack trends that can be understood. Darknet visibility is discussed from various perspectives, but this research focuses on visibility related to detecting signs of an attack on a specific port, especially the accuracy of change point detection based on time-series data representing the number of packet transitions on each port. We propose Sparsely Populated Darknets consisting of small address blocks as a way to reduce the size of the existing darknet, and report on the usefulness of this type of darknet. We compare Sparsely Populated Darknets with contiguous address darknet that consists of the same number of contiguous IP addresses as Sparsely Populated Darknets. Sparsely Populated Darknets showed higher visibility than contiguous address darknet in terms of trend changes in the number of TCP SYN packets on each major ports. Based on this, this paper reports the possibility of effectively utilizing a small number of IP addresses that are not assigned by an organization as Sparsely Populated Darknets.