Analyzing darknet TCP traffic stability at different timescales

Abstract

Darknet traffic analysis is a possible choice for observing global trends in security threats and analyzing the behavior of Internet attacks. We previously analyzed darknet traffic and evaluated the day to day stability. The investigation of traffic data identifies several anomalous events with drastic changes in instability mainly caused by distributed denial-of-service attacks, misconfigurations, scans, and backscatters. Our previous proposal is not adapted to detect small-scale events, where a small number of attackers send packets to the destination targets in a short duration. We analyze herein the cause of instabilities in transmission control protocol traffic at different timescales by investigating the number of senders to each destination port and the duration of the attack to classify the characteristics of diverse events. Some large-scale events can be detected from the instabilities in daily traffic, while some small-scale events can be detected from the instabilities of hourly traffic.