Utilizing Network Science and Honeynets for Software Induced Cyber Incident Analysis

Increasing situational awareness and investigating the cause of a software-induced cyber attack continues to be one of the most difficult yet important endeavors faced by network security professionals. Traditionally, these forensic pursuits are carried out by manually analyzing the malicious software agents at the heart of the incident, and then observing their interactions in a controlled environment. Both these steps are time consuming and difficult to maintain due to the ever changing nature of malicious software. In this paper we introduce a network science based framework which conducts incident analysis on a dataset by constructing and analyzing relational communities. Construction of these communities is based on the connections of topological features formed when actors communicate with each other. We evaluate our framework using a network trace of the Black Energy malware network, captured by our honey net. We have found that our approach is accurate, efficient, and could prove as a viable alternative to the current status quo.

[1]  Ali A. Ghorbani,et al.  Botnet detection based on traffic behavior analysis and flow intervals , 2013, Comput. Secur..

[2]  Yi Pan,et al.  A Fast Hierarchical Clustering Algorithm for Functional Modules Discovery in Protein Interaction Networks , 2011, IEEE/ACM Transactions on Computational Biology and Bioinformatics.

[3]  Patrick J. Wolfe,et al.  Null models for network data , 2012, ArXiv.

[4]  T. Vicsek,et al.  Uncovering the overlapping community structure of complex networks in nature and society , 2005, Nature.

[5]  Christopher Krügel,et al.  A survey on automated dynamic malware-analysis techniques and tools , 2012, CSUR.

[6]  Wei Lu,et al.  Mining Botnet Behaviors on the Large-Scale Web Application Community , 2013, 2013 27th International Conference on Advanced Information Networking and Applications Workshops.

[7]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[8]  Michael Garland,et al.  Social Network Clustering and Visualization using Hierarchical Edge Bundles , 2011, Comput. Graph. Forum.

[9]  Andrea Lancichinetti,et al.  Community detection algorithms: a comparative analysis: invited presentation, extended abstract , 2009, VALUETOOLS.

[10]  Guofei Gu,et al.  BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic , 2008, NDSS.

[11]  Ricardo J. Rodríguez,et al.  Detection of Intrusions and Malware, and Vulnerability Assessment , 2016, Lecture Notes in Computer Science.

[12]  Loet Leydesdorff,et al.  In search of a network theory of innovations: Relations, positions, and perspectives , 2013, J. Assoc. Inf. Sci. Technol..

[13]  David Dittrich,et al.  So You Want to Take Over a Botnet , 2012, LEET.

[14]  Marcelo R. Campo,et al.  Survey on network-based botnet detection methods , 2014, Secur. Commun. Networks.

[15]  Martin Rosvall,et al.  An information-theoretic framework for resolving community structure in complex networks , 2007, Proceedings of the National Academy of Sciences.

[16]  Santo Fortunato,et al.  Community detection in graphs , 2009, ArXiv.

[17]  Felix C. Freiling,et al.  Sandnet: network traffic analysis of malicious software , 2011, BADGERS '11.

[18]  Vlado Keselj,et al.  N-gram-based detection of new malicious code , 2004, Proceedings of the 28th Annual International Computer Software and Applications Conference, 2004. COMPSAC 2004..

[19]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[20]  Boleslaw K. Szymanski,et al.  Overlapping community detection in networks: The state-of-the-art and comparative study , 2011, CSUR.