Skip to Main content Skip to Navigation
Journal articles

Detection of zero-day attacks: An unsupervised port-based approach

Agathe Blaise 1, 2 Mathieu Bouet 1 Vania Conan 1 Stefano Secci 3
2 Phare
LIP6
3 CEDRIC - ROC - CEDRIC. Réseaux et Objets Connectés
CEDRIC - Centre d'études et de recherche en informatique et communications
Abstract : Last years have witnessed more and more DDoS attacks towards high-profile websites, as the Mirai botnet attack on September 2016, or more recently the memcached attack on March 2018, this time with no botnet required. These two outbreaks were not detected nor mitigated during their spreading, but only at the time they happened. Such attacks are generally preceded by several stages, including infection of hosts or device fingerprinting; being able to capture this activity would allow their early detection. In this paper, we propose a technique for the early detection of emerging botnets and newly exploited vulnerabilities, which consists in (i) splitting the detection process over different network segments and retaining only distributed anomalies, (ii) monitoring at the port-level, with a simple yet efficient change-detection algorithm based on a modified Z-score measure. We argue how our technique, named Split-and-Merge, can ensure the detection of large-scale zero-day attacks and drastically reduce false positives. We apply the method on two datasets: the MAWI dataset, which provides daily traffic traces of a transpacific backbone link, and the UCSD Network Telescope dataset which contains unsolicited traffic mainly coming from botnet scans. The assumption of a normal distribution-for which the Z-score computation makes sense-is verified through empirical measures. We also show how the solution generates very few alerts; an extensive evaluation on the last three years allows identifying major attacks (including Mirai and memcached) that current Intrusion Detection Systems (IDSs) have not seen. Finally, we classify detected known and unknown anomalies to give additional insights about them.
Document type :
Journal articles
Complete list of metadatas

Cited literature [59 references]  Display  Hide  Download

https://hal.archives-ouvertes.fr/hal-02889708
Contributor : Agathe Blaise <>
Submitted on : Wednesday, July 15, 2020 - 9:32:35 AM
Last modification on : Monday, July 20, 2020 - 1:38:05 PM
Long-term archiving on: : Friday, September 25, 2020 - 11:33:14 AM

File

Journal_Split_and_Merge (4).pd...
Files produced by the author(s)

Identifiers

Citation

Agathe Blaise, Mathieu Bouet, Vania Conan, Stefano Secci. Detection of zero-day attacks: An unsupervised port-based approach. Computer Networks, Elsevier, 2020, 180, pp.107391. ⟨10.1016/j.comnet.2020.107391⟩. ⟨hal-02889708⟩

Share

Metrics

Record views

102

Files downloads

165