A Graph-Based Approach To Rank Network Events In Internet Background Radiation As Collected By The Cloud Telescope

Internet Background Radiation (IBR) refers to the unsolicited traffic directed to Internet-facing devices. The analysis of IBR has helped to detect global threats ranging from malware to botnet spreading activity. The Cloud Telescope has emerged as a geographically distributed variant to the traditional Network Telescopes, enabling capture in cloud environments and allowing to determine how malicious traffic simultaneously affects different regions of the world. Large-scale IBR captures generate high volumes of PCAP data, which are difficult to process through linear pipelines, typically in the form of scripts. Therefore, new approaches are required to handle large background radiation datasets. This work proposes a graph-based approach to rank network events in IBR. The study examines a dataset of 21 million events collected over a 30-day period. The analysis demonstrates the feasibility of categorizing traffic based on features such as protocol, port, and geographic location. The data pipeline makes use of an Extraction, Transformation, and Loading (ETL) method that models IBR events as graph data structures, where IP addresses function as vertices and packets as edges. This structural representation facilitates the identification of attack patterns and emerging threats, as well as geographic and geopolitical analyses. The graph-based method uncovered characteristics that are usually not computationally feasible to reveal with standard methods, including country-level radiation emission and reception, countries targeted by top radiation emitters, destination targeted by top IP source addresses, most attacked IP addresses, and the profiling of one particular botnet propagation pattern of interest: Mirai. Results are provided as raw tabular data, accompanied by cypher language queries, and the resulting graphs.