A Characterization of Cybersecurity Posture from Network Telescope Data

Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA's network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims i.e., telescope IP addresses that are attacked, the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of sweep-time, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers and attacks from a certain country dominates the total number of attackers and attacks that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope.

[1]  Somesh Jha,et al.  An architecture for generating semantics-aware signatures , 2005 .

[2]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[3]  Nevil Brownlee One-Way Traffic Monitoring with iatmon , 2012, PAM.

[4]  Kung-Sik Chan,et al.  Time Series Analysis: With Applications in R , 2010 .

[5]  Mark E. J. Newman,et al.  Power-Law Distributions in Empirical Data , 2007, SIAM Rev..

[6]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[7]  Niccolo Cascarano,et al.  GT: picking up the truth from the ground for internet traffic , 2009, CCRV.

[8]  R. Engle Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation , 1982 .

[9]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[10]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[11]  George C. Polyzos,et al.  A Parameterizable Methodology for Internet Traffic Flow Profiling , 1995, IEEE J. Sel. Areas Commun..

[12]  Xenofontas A. Dimitropoulos,et al.  Classifying internet one-way traffic , 2012, Internet Measurement Conference.

[13]  R. Tsay Analysis of Financial Time Series: Tsay/Financial Time Series 3E , 2010 .

[14]  Vern Paxson,et al.  Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.

[15]  Nathalie Weiler,et al.  Honeypots for distributed denial-of-service attacks , 2002, Proceedings. Eleventh IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises.

[16]  Stefan Savage,et al.  Inside the Slammer Worm , 2003, IEEE Secur. Priv..

[17]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[18]  V. Barnett,et al.  Applied Linear Statistical Models , 1975 .

[19]  Michael H. Kutner Applied Linear Statistical Models , 1974 .

[20]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[21]  Toni Giorgino,et al.  Computing and Visualizing Dynamic Time Warping Alignments in R: The dtw Package , 2009 .

[22]  Aleksandar Kuzmanovic,et al.  Measurement and Diagnosis of Address Misconfigured P2P Traffic , 2010, 2010 Proceedings IEEE INFOCOM.

[23]  Shouhuai Xu,et al.  Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study , 2013, IEEE Transactions on Information Forensics and Security.

[24]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[25]  Stuart Harvey Rubin,et al.  Distributed denial of service attacks , 2000, Smc 2000 conference proceedings. 2000 ieee international conference on systems, man and cybernetics. 'cybernetics evolving to systems, humans, organizations, and their complex interactions' (cat. no.0.

[26]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[27]  Lisa Werner,et al.  Principles of forecasting: A handbook for researchers and practitioners , 2002 .

[28]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[29]  David Moore,et al.  Code-Red: a case study on the spread and victims of an internet worm , 2002, IMW '02.

[30]  J. Scott Armstrong,et al.  Principles of forecasting : a handbook for researchers and practitioners , 2001 .

[31]  Jon Crowcroft,et al.  Honeycomb , 2004, Comput. Commun. Rev..

[32]  Eric R. Ziegel,et al.  Analysis of Financial Time Series , 2002, Technometrics.

[33]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[34]  J. Scott Armstrong,et al.  Principles of forecasting , 2001 .

[35]  David Watson,et al.  The Blaster worm: then and now , 2005, IEEE Security & Privacy Magazine.

[36]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[37]  Nevil Brownlee,et al.  Passive measurement of one-way and two-way flow lifetimes , 2007, CCRV.

[38]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[39]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[40]  Vinod Yegneswaran,et al.  Employing Honeynets For Network Situational Awareness , 2010, Cyber Situational Awareness.

[41]  Somesh Jha,et al.  An Architecture for Generating Semantic Aware Signatures , 2005, USENIX Security Symposium.

[42]  Joanne Treurniet,et al.  A Network Activity Classification Schema and Its Application to Scan Detection , 2011, IEEE/ACM Transactions on Networking.

[43]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.