Multi-label Classification of Hosts Observed through a Darknet.

To observe compromised hosts at Internet-scale, a darknet or network telescope collects Internet background radiation that includes large-scale phenomena like DDoS (Distributed Denial-of-Service) or scanning. Gathered data is however very partial and labeling such traffic to precise activities thanks to external databases is far from being satisfactory (8.4% of IP addresses in our case). In addition, as compromised hosts are used for multiple malicious activities, they cannot be classified in a unique category. We propose in this paper a new multi-label classification method by representing traffic generated by a host as a graph and leveraging machine learning algorithms (Node embedding and Graph Convolutional Networks). From partial information about IP addresses, our method can label addresses with a precision of 0.80 and recall of 0.81.