Real-Time Detection of Global Cyberthreat Based on Darknet by Estimating Anomalous Synchronization Using Graphical Lasso

• Published in: IEICE Transactions on Information and Systems Vol. E103.D; no. 10; pp. 2113 - 2124
• Main Authors: HAN, Chansu, SHIMAMURA, Jumpei, TAKAHASHI, Takeshi, INOUE, Daisuke, TAKEUCHI, Jun'ichi, NAKAO, Koji
• Format: Journal Article
• Language: English
• Published: Tokyo The Institute of Electronics, Information and Communication Engineers 01.10.2020; Japan Science and Technology Agency
• Subjects: Anomalies; cyberthreat; darknet; IP (Internet Protocol); Malware; network security; outlier detection; Packet transmission; Real time; real-time detection; Signal to noise ratio; Synchronism; synchronization
• ISSN: 0916-8532; 1745-1361
• DOI: 10.1587/transinf.2020EDP7076

With the rapid evolution and increase of cyberthreats in recent years, it is necessary to detect and understand it promptly and precisely to reduce the impact of cyberthreats. A darknet, which is an unused IP address space, has a high signal-to-noise ratio, so it is easier to understand the global tendency of malicious traffic in cyberspace than other observation networks. In this paper, we aim to capture global cyberthreats in real time. Since multiple hosts infected with similar malware tend to perform similar behavior, we propose a system that estimates a degree of synchronizations from the patterns of packet transmission time among the source hosts observed in unit time of the darknet and detects anomalies in real time. In our evaluation, we perform our proof-of-concept implementation of the proposed engine to demonstrate its feasibility and effectiveness, and we detect cyberthreats with an accuracy of 97.14%. This work is the first practical trial that detects cyberthreats from in-the-wild darknet traffic regardless of new types and variants in real time, and it quantitatively evaluates the result.