Towards a taxonomy of darknet traffic

Darknets can be used to monitor unexpected network traffic destined for allocated but unused IP address blocks, thus providing an effective traffic measurement technique for viewing certain remote network security events. Past works in this field discussed the possible causes (events) of darknet traffic and applied their classification schemes on short-range traces. Our interest lies, however, in how darknets have evolved since those works and the effectiveness of a darknet taxonomy for real long-range traffic. We thus propose a simple but effective taxonomy of darknet traffic, on the basis of observations, and evaluate it on real darknet traces covering six years. The evaluation results show that we can detect and label anomalous events defined by the taxonomy for over 96% of all sources, making the unlabeled source rate extremely low. We also obtain some interesting findings on the evolution of different anomalous events since 2006 (especially in recent years), determine the most appropriate time bin for traffic analysis of our traces, and highlight the general applicability of our taxonomy on different darknet datasets. Finally, we conclude that most sources in our traces are characterized by just one or two events with simple attack mechanisms.