Modelling IP darkspace traffic by means of clustering techniques

An IP darkspace is an unused IP address range. Addresses are announced by routing, but no hosts are attached. Therefore all traffic directed to IP darkspace addresses is unsolicited and usually originates from attacks, attack preparation activities or misconfigurations. Most of the observed traffic belongs to known phenomena (e.g. horizontal scanning targeting a specific port) and is of limited interest to security analysts. But hidden in the vast amount of common attacks, smaller unusual events may indicate new malicious activities. In this paper we present a methodology to distinguish IP darkspace sources with common traffic patterns from sources that show uncommon behavior and may be the origin of novel attacks. For this, we model IP darkspace sources based on clustering techniques. We extract data from one complete month of a large /8 darkspace capture and use a very simple feature vector. Our analysis is purely based on clustering techniques and does not require any pre-knowledge about phenomena in darkspace traffic. We found that about 75% of the darkspace IP sources contributes to a set of very stable clusters, 4% to less stable clusters and 21% to outliers. This allows us to concentrate the effort for searching for new attacks in just 21% of the sources.