Next Article in Journal
The Financial Crisis and Co-Movement of Global Stock Markets—A Case of Six Major Economies
Next Article in Special Issue
Transmission Algorithm with QoS Considerations for a Sustainable MPEG Streaming Service
Previous Article in Journal
Topographic Correction of Landsat TM-5 and Landsat OLI-8 Imagery to Improve the Performance of Forest Classification in the Mountainous Terrain of Northeast Thailand
Previous Article in Special Issue
RSSI-Based Distance Estimation Framework Using a Kalman Filter for Sustainable Indoor Computing Environments
Article Menu
Issue 2 (February) cover image

Export Article

Open AccessArticle
Sustainability 2017, 9(2), 262;

Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

Department of Advanced KREONET Security Service, Korea Institute of Science and Technology Information, Daejeon 34141, Korea
School of Information Technology Eng., Catholic University of Daegu, Gyeongbuk 38430, Korea
Department of Construction Legal Affairs, Kwangwoon University, Seoul 01897, Korea
Author to whom correspondence should be addressed.
Academic Editors: James J. Park and Han-Chieh Chao
Received: 15 December 2016 / Revised: 5 February 2017 / Accepted: 7 February 2017 / Published: 13 February 2017
(This article belongs to the Special Issue Advanced IT based Future Sustainable Computing)
Full-Text   |   PDF [1257 KB, uploaded 13 February 2017]   |  


The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet. Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet (‘the darknet traffic’) do not contain a payload. This means that we are unable to get real malware from the darknet traffic. This situation makes it difficult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet traffic are infected by real malware or not. In this paper, we present the overall procedure of the in-depth analysis between the darknet traffic and IDS alerts using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results. The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts so that they are able to identify and trace the root cause of the darknet traffic. The experimental results show that correlation analysis between the darknet traffic and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to find out what kinds of malware infected them. View Full-Text
Keywords: IDS alerts; darknet traffic; potential attackers; in-depth analysis IDS alerts; darknet traffic; potential attackers; in-depth analysis

Figure 1

This is an open access article distributed under the Creative Commons Attribution License which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited (CC BY 4.0).

Share & Cite This Article

MDPI and ACS Style

Song, J.; Lee, Y.; Choi, J.-W.; Gil, J.-M.; Han, J.; Choi, S.-S. Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet. Sustainability 2017, 9, 262.

Show more citation formats Show less citations formats

Note that from the first issue of 2016, MDPI journals use article numbers instead of page numbers. See further details here.

Related Articles

Article Metrics

Article Access Statistics



[Return to top]
Sustainability EISSN 2071-1050 Published by MDPI AG, Basel, Switzerland RSS E-Mail Table of Contents Alert
Back to Top