Network operators and system administrators are increasingly overwhelmed with incessant cyber-security threats ranging from malicious network reconnaissance to attacks such as distributed denial of service and data breaches. A large number of these attacks could be prevented if the network operators were better equipped with threat intelligence information that would allow them to block or throttle nefarious scanning activities. Network telescopes or "darknets" offer a unique window into observing Internet-wide scanners and other malicious entities, and they could offer early warning signals to operators that would be critical for infrastructure protection and/or attack mitigation. A network telescope consists of unused or "dark" IP spaces that serve no users, and solely passively observes any Internet traffic destined to the "telescope sensor" in an attempt to record ubiquitous network scanners, malware that forage for vulnerable devices, and other dubious activities. Hence, monitoring network telescopes for timely detection of coordinated and heavy scanning activities is an important, albeit challenging, task. The challenges mainly arise due to the non-stationarity and the dynamic nature of Internet traffic and, more importantly, the fact that one needs to monitor high-dimensional signals (e.g., all TCP/UDP ports) to search for "sparse" anomalies. We propose statistical methods to address both challenges in an efficient and "online" manner; our work is validated both with synthetic data as well as real-world data from a large network telescope.

翻译：网络运营者和系统管理员面临日益增多的网络安全威胁，包括恶意网络侦察、分布式拒绝服务攻击以及数据泄露等。若网络运营者能更有效地获取威胁情报信息，从而阻断或限制恶意扫描活动，则大量此类攻击本可被预防。网络望远镜或"暗网"为观测互联网范围的扫描器及其他恶意实体提供了独特窗口，并能向运营者发出早期预警信号，这对基础设施防护及攻击缓解至关重要。网络望远镜由未使用或"暗"IP空间构成，这些空间不服务任何用户，仅被动观测发往"望远镜传感器"的所有互联网流量，旨在记录无处不在的网络扫描器、搜索易受攻击设备的恶意软件及其他可疑活动。因此，监测网络望远镜以及时发现协同性高强度扫描活动虽具挑战性，却是一项重要任务。主要挑战源于互联网流量的非平稳性与动态特性，更关键的是需监测高维信号（如所有TCP/UDP端口）以搜寻"稀疏"异常。我们提出统计方法以高效且"在线"的方式应对这两类挑战；相关研究已通过合成数据及真实大规模网络望远镜数据进行验证。