nicter: a large-scale network incident analysis system: case studies for understanding threat landscape

We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose objective is to detect and identify propagating malwares. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global trends of network threats, while it captures and analyzes malware executables. By correlating the network threats with analysis results of malware, the nicter identifies the root causes (malwares) of the detected network threats. Through a long-term operation of the nicter for more than five years, we have achieved some key findings that would help us to understand the intentions of attackers and the comprehensive threat landscape of the Internet. With a focus on a well-knwon malware, i. e., W32.Downadup, this paper provides some practical case studies with considerations and consequently we could obtain a threat landscape that more than 60% of attacking hosts observed in our dark-net could be infected by W32.Downadup. As an evaluation, we confirmed that the result of the correlation analysis was correct in a rate of 86.18%.

[1]  D. Inoue,et al.  nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[2]  F. Jahanian,et al.  Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.

[3]  Zhuoqing Morley Mao,et al.  Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware , 2006, International Conference on Dependable Systems and Networks (DSN'06).

[4]  Marc Dacier,et al.  Lessons learned from the deployment of a high-interaction honeypot , 2006, 2006 Sixth European Dependable Computing Conference.

[5]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[6]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[7]  Van-Hau Pham,et al.  on the Advantages of Deploying a Large Scale Distributed Honeypot Platform , 2005 .

[8]  Koji Nakao,et al.  Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring , 2009, IEICE Trans. Inf. Syst..

[9]  Niels Provos,et al.  A Virtual Honeypot Framework , 2004, USENIX Security Symposium.

[10]  Marc Dacier,et al.  Automatic Handling of Protocol Dependencies and Reaction to 0-Day Attacks with ScriptGen Based Honeypots , 2006, RAID.

[11]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .