Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis
www.caida.org > publications : papers : 2014 : nightlights_entropy
Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns
T. Zseby, N. Brownlee, A. King, and k. claffy, "Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns", in Passive and Active Network Measurement Workshop (PAM). Mar 2014.
|   View full paper:    PDF (abstract only)    |  Citation:    BibTeX   |

Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns

Tanja Zseby3
Nevil Brownlee1, 2
Alistair King1
kc claffy1
1

CAIDA, San Diego Supercomputer Center, University of California San Diego

2

University of Auckland, New Zealand

3

Vienna University of Technology

An IP darkspace is a globally routed IP address space with no active hosts. All traffic destined to darkspace addresses is unsolicited and often originates from network scanning or attacks. A sudden increases of different types of darkspace traffic can serve as indicator of new vulnerabilities, misconfigurations or large scale attacks. In our analysis we take advantage of the fact that darkspace traffic typically originates from processes that use randomly chosen addresses or ports (e.g. scanning) or target a specific address or port (e.g. DDoS, worm spreading). These behaviors induce a concentration or dispersion in feature distributions of the resulting traffic aggregate and can be distinguished using entropy as a compact representation. Its lightweight, unambiguous, and privacy-compatible character makes entropy a suitable metric that can facilitate early warning capabilities, operational information exchange among network operators, and comparison of analysis results among a network of distributed IP darkspaces.

Keywords: network telescope, security
  Last Modified: Wed Oct-11-2017 17:04:02 PDT
  Page URL: http://www.caida.org/publications/papers/2014/nightlights_entropy/index.xml