DARK-KERNEL: Design and Implementation of a Kernel Level Active Darknet Sensor

DARK-KERNEL: Design and Implementation of a Kernel Level Active Darknet Sensor

연구 분야: Safety

학회: EICC '22: Proceedings of the 2022 European Interdisciplinary Cybersecurity Conference

Darknet traffic is defined as the network traffic arriving at a network with destination IP addresses that are allocated to the network but are not assigned to any device. Darknet monitoring is an unsubstantiated way to observe cyberspace activities through active or passive monitoring. In passive monitoring, passive observation of the packets and their analysis is done. While in active monitoring, the monitoring machines (darknet sensors) also respond to the traffic to actively engage the attackers to find if the source of the traffic is spoofed. The darknet network traffic also contains valuable forensic information about malware and attack patterns. However, passive darknet monitoring is ineffective in developing threat intelligence because it captures packets from various spoofed IP addresses and cannot distinguish them from regular traffic. Therefore, one needs to validate incoming packet addresses in active mode to collect real threat intelligence. This paper implements a darknet sensor developed to be active by altering the network stack of a Linux kernel to collect and store all darknet traffic arriving at it and further validate TCP packets to filter out source IP address spoofing. To achieve this, we undertake systematic tracing of kernel source code, identifying and modifying specific sections of kernel source code with the goals to be an effective active darknet sensor and minimize the latency at the darknet sensor.