Countermeasures against Darknet Localisation Attacks with Packet Sampling

The darknet monitoring system consists of network sensors widely deployed on the Internet to capture incoming unsolicited packets. A goal of this system is to analyse captured malicious packets and provide effective information to protect regular non-malicious Internet users from malicious activities. To provide effective and reliable information, the location of sensors must be concealed. However, attackers launch localisation attacks to detect sensors in order to evade them. If the actual location of sensors is revealed, it is almost impossible to identify the latest tactics used by attackers. Thus, in a previous study, we proposed a packet sampling method, which samples incoming packets based on an attribute of the packet sender, to increase tolerance to a localisation attack and maintain the quality of information publicised by the system. We were successful in countering localisation attacks, which generate spikes on the publicised graph to detect a sensor. However, in some cases, with the previously proposed sampling method, spikes were clearly evident on the graph. Therefore, in this paper, we propose advanced sampling methods such that incoming packets are sampled based on multiple attributes of the packet sender. We present our improved methods and show promising evaluation results obtained via a simulation.