Characterising the Evolution in Scanning Activity of Suspicious Hosts

The early detection of multistage attacks like DDoS and coordinated spamming poses a major challenge for existing counter-measures based on reactive blacklists. One approach to addressing this challenge would be to profile hosts that engage in scanning activity and predict their future actions. However, this requires understanding how hosts evolve their scanning behaviour. In order to address this issue we have analysed logs from the DShield repository of globally distributed IDS alerts corresponding to the first 15 days of January 2005. We first clustered hosts using similarities in the spatial breadth (targeted DShield subscribers) and depth (targeted destination ports) of their scanning activity during aggregation intervals of one day at a time. We then analysed temporal properties like popularity, volatility, lifetime and transition of these clusters to infer how they evolved over time. We found persistent clusters with stable sizes. However, they were highly volatile with a consistent turn-over of hosts everyday. This was caused by the lifetime of hosts in each cluster mostly being one day. Nevertheless, we came across a non-trivial number of hosts that appeared everyday while belonging to the same cluster or transitioning from one cluster to another. Based on these findings, it is plausible that suspicious hosts can be profiled for long periods of time to predict an imminent multistage attack.

[1]  Vinod Yegneswaran,et al.  Internet intrusions: global characteristics and prevalence , 2003, SIGMETRICS '03.

[2]  Andreas Terzis,et al.  On the impact of dynamic addressing on malware propagation , 2006, WORM '06.

[3]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[4]  Ramesh Govindan,et al.  Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications , 2005, SIGCOMM 2005.

[5]  Robert K. Cunningham,et al.  A taxonomy of computer worms , 2003, WORM '03.

[6]  Sang Joon Kim,et al.  A Mathematical Theory of Communication , 2006 .

[7]  Vern Paxson,et al.  A brief history of scanning , 2007, IMC '07.

[8]  Phillip A. Porras,et al.  Highly Predictive Blacklisting , 2008, USENIX Security Symposium.

[9]  C. E. SHANNON,et al.  A mathematical theory of communication , 1948, MOCO.

[10]  Zhi-Li Zhang,et al.  Profiling internet backbone traffic: behavior models and applications , 2005, SIGCOMM '05.

[11]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[12]  Paul Barford,et al.  Spatial-Temporal Characteristics of Internet Malicious Sources , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[13]  Kotagiri Ramamohanarao,et al.  Survey of network-based defense mechanisms countering the DoS and DDoS problems , 2007, CSUR.

[14]  Satish K. Tripathi,et al.  Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems , 2003, SIGMETRICS 2003.

[15]  Balachander Krishnamurthy,et al.  Collaborating against common enemies , 2005, IMC '05.