Machine Learning Techniques for Detection of Coordinated Events in the Internet

Darknets are network monitoring tools composed by sets of IP addresses announced in routing protocols, without hosting any services. They constantly listen to incoming traffic and record it. The received packets represent a privileged source of information for network security. Indeed, the lack of any production traffic in darknet makes it easier to detect possible threats like internal scans, brute-force attempts against services, etc. Darknets however still receive a lot of traffic from thousands of sources. Large botnets in particular are used to scan for vulnerable services online. Such events follow diverse patterns, with multiple hosts belonging to a single botnet eventually contacting darknets.

Detecting and evaluating such coordinated events is an important step to fully exploit the darknet monitoring potential. Indeed it could reduce the amount of data to be evaluated by security analysts and provide a richer picture about ongoing attacks on the Internet.

Given the huge amount of source IPs constantly targeting darknets, a manual analysis on the
received traffic is impractical. Moreover, there is a lack of comprehensive ground truth that could be used to learn traffic patterns.

Several research questions arise to investigate the network traffic around darknets. The followings are some steps to investigate:

• Develop machine learning methodologies to identify coordinated events
• Model the events as a graph and extract emerging patterns
• Identify the traffic sources characteristics and their activity, highlighting possible botnet
• Study widespread botnets and their evolution (e.g., Mirai)
• Investigate anomalies in the darknet coordinate events

• Knowledge of network security and network monitoring tool, such as darknets and
  honeypots
• Machine learning
• Anomaly detection
• Python programming