Detection of zero-day attacks: An unsupervised port-based approach - Archive ouverte HAL Accéder directement au contenu
Article Dans Une Revue Computer Networks Année : 2020

Detection of zero-day attacks: An unsupervised port-based approach

Agathe Blaise
Mathieu Bouet
  • Fonction : Auteur
  • PersonId : 944802
Vania Conan
  • Fonction : Auteur
  • PersonId : 846757
Stefano Secci

Résumé

Last years have witnessed more and more DDoS attacks towards high-profile websites, as the Mirai botnet attack on September 2016, or more recently the memcached attack on March 2018, this time with no botnet required. These two outbreaks were not detected nor mitigated during their spreading, but only at the time they happened. Such attacks are generally preceded by several stages, including infection of hosts or device fingerprinting; being able to capture this activity would allow their early detection. In this paper, we propose a technique for the early detection of emerging botnets and newly exploited vulnerabilities, which consists in (i) splitting the detection process over different network segments and retaining only distributed anomalies, (ii) monitoring at the port-level, with a simple yet efficient change-detection algorithm based on a modified Z-score measure. We argue how our technique, named Split-and-Merge, can ensure the detection of large-scale zero-day attacks and drastically reduce false positives. We apply the method on two datasets: the MAWI dataset, which provides daily traffic traces of a transpacific backbone link, and the UCSD Network Telescope dataset which contains unsolicited traffic mainly coming from botnet scans. The assumption of a normal distribution-for which the Z-score computation makes sense-is verified through empirical measures. We also show how the solution generates very few alerts; an extensive evaluation on the last three years allows identifying major attacks (including Mirai and memcached) that current Intrusion Detection Systems (IDSs) have not seen. Finally, we classify detected known and unknown anomalies to give additional insights about them.
Fichier principal
Vignette du fichier
Journal_Split_and_Merge (4).pdf (6.34 Mo) Télécharger le fichier
Origine : Fichiers produits par l'(les) auteur(s)
Loading...

Dates et versions

hal-02889708 , version 1 (15-07-2020)

Identifiants

Citer

Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci. Detection of zero-day attacks: An unsupervised port-based approach. Computer Networks, 2020, 180, pp.107391. ⟨10.1016/j.comnet.2020.107391⟩. ⟨hal-02889708⟩
346 Consultations
360 Téléchargements

Altmetric

Partager

Gmail Facebook X LinkedIn More