Last years have witnessed more and more DDoS attacks towards high-profile websites, as the Mirai botnet attack on September 2016, or more recently the memcached attack on March 2018, this time with no botnet required. These two outbreaks were not detected nor mitigated during their spreading, but only at the time they happened. Such attacks are generally preceded by several stages, including infection of hosts or device fingerprinting; being able to capture this activity would allow their early detection. In this paper, we propose a technique for the early detection of emerging botnets and newly exploited vulnerabilities, which consists in (i) splitting the detection process over different network segments and retaining only distributed anomalies, (ii) monitoring at the port-level, with a simple yet efficient change-detection algorithm based on a modified Z-score measure. We argue how our technique, named Split-and-Merge, can ensure the detection of large-scale zero-day attacks and drastically reduce false positives. We apply the method on two datasets: the MAWI dataset, which provides daily traffic traces of a transpacific backbone link, and the UCSD Network Telescope dataset which contains unsolicited traffic mainly coming from botnet scans. The assumption of a normal distribution – for which the Z-score computation makes sense – is verified through empirical measures. We also show how the solution generates very few alerts; an extensive evaluation on the last three years allows identifying major attacks (including Mirai and memcached) that current Intrusion Detection Systems (IDSs) have not seen. Finally, we classify detected known and unknown anomalies to give additional insights about them.

去年目睹了越来越多的DDoS攻击针对知名网站，例如2016年9月的Mirai僵尸网络攻击，或者最近是2018年3月的内存缓存攻击，这一次不需要僵尸网络。这两次爆发在传播过程中并未发现，也没有得到缓解，只是在发生时才被发现。此类攻击通常要经过几个阶段，包括感染主机或设备指纹。能够捕获此活动将允许他们及早发现。在本文中，我们提出了一种用于早期检测新兴的僵尸网络和新利用的漏洞的技术，该技术包括（i）将检测过程分为不同的网段并仅保留分布式异常，（ii）在端口级别进行监控，基于修改后的Z分数测度的简单而有效的变化检测算法。我们争论了称为拆分和合并的技术如何能够确保检测到大规模的零日攻击并大幅减少误报。我们将该方法应用于两个数据集：MAWI数据集和UCSD网络望远镜数据集，其中MAWI数据集提供跨太平洋骨干链路的每日流量跟踪，其中UCSD网络望远镜数据集包含主要来自僵尸网络扫描的未经请求的流量。通过经验测验验证了正态分布的假设（对于该分布，Z分数计算有意义）。我们还将展示该解决方案如何生成很少的警报。在过去三年中进行的广泛评估可以确定当前入侵检测系统（IDS）尚未发现的主要攻击（包括Mirai和memcached）。最后，