Skip to Content
[CAIDA - Center for Applied Internet Data Analysis logo]
Center for Applied Internet Data Analysis > publications : papers : 2014 : nightlights_entropy
Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns
T. Zseby, N. Brownlee, A. King, and k. claffy, "Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns", in Passive and Active Network Measurement Workshop (PAM), Mar 2014.
|   View full paper:    DOI    PDF (abstract only)    |  Citation:    BibTeX    Resource Catalog   |

Nightlights: Entropy-based Metrics for Classifying Darkspace Traffic Patterns

Tanja Zseby3
Nevil Brownlee1, 2
Alistair King1
kc claffy1

CAIDA, San Diego Supercomputer Center, University of California San Diego


University of Auckland, New Zealand


Vienna University of Technology

An IP darkspace is a globally routed IP address space with no active hosts. All traffic destined to darkspace addresses is unsolicited and often originates from network scanning or attacks. A sudden increases of different types of darkspace traffic can serve as indicator of new vulnerabilities, misconfigurations or large scale attacks. In our analysis we take advantage of the fact that darkspace traffic typically originates from processes that use randomly chosen addresses or ports (e.g. scanning) or target a specific address or port (e.g. DDoS, worm spreading). These behaviors induce a concentration or dispersion in feature distributions of the resulting traffic aggregate and can be distinguished using entropy as a compact representation. Its lightweight, unambiguous, and privacy-compatible character makes entropy a suitable metric that can facilitate early warning capabilities, operational information exchange among network operators, and comparison of analysis results among a network of distributed IP darkspaces.

Keywords: network telescope, security
  Last Modified: Tue Nov-17-2020 04:47:19 UTC
  Page URL: