Port-Piece Embedding for Darknet Traffic Features and Clustering of Scan Attacks.

With the proliferation of Internet of Things (IoT), the damage brought by cyber-attacks abusing the resources of malware-infected IoT devices is becoming more serious. Darknet monitoring, which constantly observes packets sent from malware-infected hosts to unused IP address space, has been proven effective for countermeasuring indiscriminate cyber-threats. In this paper, we presents a new machine learning scheme to track attack activities and evolving process of infected devices observed on the darknet. First, we perform feature extraction using FastText to explore the underlying correlation between targeted network services as indicated by the destination ports of scanning packets. Then, we employ a nonlinear dimension reduction technique, UMAP, to project hosts into a 2-D embedding space for a visualization purpose. Finally, we perform clustering analysis based on DBSCAN to automatically identify groups of infected hosts with similar attack behaviors. In the experiments, we use a one-month darknet traffic trace collected from a/16 darknet sensor to demonstrate the efficacy of the proposed scheme. We show that groups of Mirai variants, potentially infected by the same botnets, can be successfully detected by the proposed approach. In particular, a Mirai variant targeting vulnerabilities on TCP port 9530 are newly discovered during the observation period.