Darknet Monitoring on Real-Operated Networks

Dark net monitoring is an effective method to analyze malicious activities on networks including the Internet. Since there is no legitimate host on darknets, traffic sent to such a space is considered to be malicious. There are two major issues for dark net monitoring: how to prepare unused address space and how to configure network sensors deployed on the network. Preparation of monitoring addresses is difficult, and it have not been obvious yet what an appropriate configuration is. To solve the first issue, we proposed a method for network monitoring by exploiting unused IP addresses on segments managed by DHCP server, where is a real-operated network. By assigning these addresses, we can easily obtain IP addresses for monitoring and enable network monitoring on production network. Furthermore, we conducted real dark net monitoring experiments and clarified what kind of information could be obtained. We deployed several types of sensors on real-operated network and captured dark net traffic. After analyzing the traffic, we compared the data between each sensor. We found that there were dramatic differences between the data collected by each sensor and our proposed method was useful for real network monitoring.