DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

摘要

A darknet is a set of globally announced unused IP addresses and using it is a good way to monitor network attacks such as malware's scans. However, large-scale darknet monitoring systems had two problems: 1) the systems have less direct contribution to protect the live networks; 2) the systems provide less incentive to organizations that will deploy a sensor on their darknet. In this paper, we describe a novel darknet monitoring architecture to solve the above two problems. Based on the architecture, we designed, implemented, and conducted trial operations of an alert system named DAEDALUS. The DAEDALUS enables us to detect malicious hosts in an internal network of an organization, and to send alerts to an operator of the organization. After the trial operations, we have confirmed that the DAEDALUS is effective to detect malicious hosts and misconfigured hosts in the internal networks.