Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet. Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet (‘the darknet traffic’) do not contain a payload. This means that we are unable to get real malware from the darknet traffic. This situation makes it difficult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet traffic are infected by real malware or not. In this paper, we present the overall procedure of the in-depth analysis between the darknet traffic and IDS alerts using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results. The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts so that they are able to identify and trace the root cause of the darknet traffic. The experimental results show that correlation analysis between the darknet traffic and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to find out what kinds of malware infected them.

[1]  Hiroki Takakura,et al.  A Generalized Feature Extraction Scheme to Detect 0-Day Attacks via IDS Alerts , 2008, 2008 International Symposium on Applications and the Internet.

[2]  Tao Ban,et al.  Detection of DDoS Backscatter Based on Traffic Features of Darknet TCP Packets , 2014, 2014 Ninth Asia Joint Conference on Information Security.

[3]  Koji Nakao,et al.  Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring , 2009, IEICE Trans. Inf. Syst..

[4]  Mourad Debbabi,et al.  Inferring distributed reflection denial of service attacks from darknet , 2015, Comput. Commun..

[5]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[6]  Chih-Fong Tsai,et al.  CANN: An intrusion detection system based on combining cluster centers and nearest neighbors , 2015, Knowl. Based Syst..

[7]  Jun Gao,et al.  Online Adaboost-Based Parameterized Methods for Dynamic Distributed Network Intrusion Detection , 2014, IEEE Transactions on Cybernetics.

[8]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[9]  Mostafa Gadal-Haqq M. Mostafa,et al.  Distributed and Scalable Intrusion Detection System Based on Agents and Intelligent Techniques , 2010, J. Inf. Process. Syst..

[10]  Sang-Soo Choi,et al.  A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic , 2014, Secur. Commun. Networks.

[11]  Koji Nakao,et al.  nicter: a large-scale network incident analysis system: case studies for understanding threat landscape , 2011, BADGERS '11.

[12]  Siyang Zhang,et al.  A novel hybrid KPCA and SVM with GA model for intrusion detection , 2014, Appl. Soft Comput..

[13]  nbspShaik Bhanu,et al.  Analysis of SSH attacks of Darknet using Honeypots , 2014 .

[14]  Kensuke Fukuda,et al.  Towards a taxonomy of darknet traffic , 2014, 2014 International Wireless Communications and Mobile Computing Conference (IWCMC).

[15]  Ruibin Zhang,et al.  Malicious Events Grouping via Behavior Based Darknet Traffic Flow Analysis , 2017, Wirel. Pers. Commun..

[16]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1987, IEEE Transactions on Software Engineering.

[17]  Elijah Blessing Rajsingh,et al.  ColShield: an effective and collaborative protection shield for the detection and prevention of collaborative flooding of DDoS attacks in wireless mesh networks , 2014, Human-centric Computing and Information Sciences.

[18]  Francisco Herrera,et al.  On the combination of genetic fuzzy systems and pairwise learning for improving detection rates on Intrusion Detection Systems , 2015, Expert Syst. Appl..

[19]  Byung-Joo Kim,et al.  Robust Real-time Intrusion Detection System , 2005, J. Inf. Process. Syst..

[20]  Runhe Huang,et al.  A study on association rule mining of darknet big data , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[21]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[22]  J. Meigs,et al.  WHO Technical Report , 1954, The Yale Journal of Biology and Medicine.