Behavioral Service Graphs: A Big Data Approach for Prompt Investigation of Internet-Wide Infections

The task of generating network-based evidence to support network forensic investigation is becoming increasingly prominent. Undoubtedly, such evidence is significantly imperative as it not only can be used to diagnose and respond to various network-related issues (i.e., performance bottlenecks, routing issues, etc.) but more importantly, can be leveraged to infer and further investigate network security intrusions and infections. In this context, this paper proposes a proactive approach that aims at generating accurate and actionable network-based evidence related to groups of compromised network machines. The approach is envisioned to guide investigators to promptly pinpoint such malicious groups for possible immediate mitigation as well as empowering network and digital forensic specialists to further examine those machines using auxiliary collected data or extracted digital artifacts. On one hand, the promptness of the approach is successfully achieved by monitoring and correlating perceived probing activities, which are typically the very first signs of an infection or misdemeanors. On the other hand, the generated evidence is accurate as it is based on an anomaly inference that fuses big data behavioral analytics in conjunction with formal graph theoretical concepts. We evaluate the proposed approach as a global capability in a security operations center. The empirical evaluations, which employ 80 GB of real darknet traffic, indeed demonstrates the accuracy, effectiveness and simplicity of the generated network-based evidence.

[1]  J. Kruskal On the shortest spanning subtree of a graph and the traveling salesman problem , 1956 .

[2]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[3]  G. Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[4]  Mourad Debbabi,et al.  Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[5]  Alan M. Frieze,et al.  Random graphs , 2006, SODA '06.

[6]  Alessandro Guarino,et al.  Digital Forensics as a Big Data Challenge , 2013, ISSE.

[7]  Shukor Abd Razak,et al.  A Review of Current Research in Network Forensic Analysis , 2013, Int. J. Digit. Crime Forensics.

[8]  Ying Zhu,et al.  Attack Pattern Discovery in Forensic Investigation of Network Attacks , 2011, IEEE Journal on Selected Areas in Communications.

[9]  Paul Barford,et al.  Intrusion as (anti)social communication: characterization and detection , 2012, KDD.

[10]  Evangelos Kranakis,et al.  DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[11]  Kenta Ozeki,et al.  Spanning Trees: A Survey , 2011, Graphs Comb..

[12]  Mourad Debbabi,et al.  On fingerprinting probing activities , 2014, Comput. Secur..

[13]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[14]  Mourad Debbabi,et al.  Behavioral analytics for inferring large-scale orchestrated probing events , 2014, 2014 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS).

[15]  Simson L. Garfinkel,et al.  Lessons learned writing digital forensics tools and managing a 30TB digital evidence corpus , 2012, Digit. Investig..

[16]  Richi Nayak,et al.  Analyzing the Effectiveness of Graph Metrics for Anomaly Detection in Online Social Networks , 2012, WISE.

[17]  P. Erdos,et al.  On the evolution of random graphs , 1984 .

[18]  Oliver Brdiczka,et al.  Proactive Insider Threat Detection through Graph Learning and Psychological Context , 2012, 2012 IEEE Symposium on Security and Privacy Workshops.

[19]  JOSEP DÍAZ,et al.  A survey of graph layout problems , 2002, CSUR.

[20]  Richard Mortier,et al.  The Dark Oracle: Perspective-Aware Unused and Unreachable Address Discovery , 2006, NSDI.

[21]  B. Bollobás The evolution of random graphs , 1984 .

[22]  Rajdeep Niyogi,et al.  Network forensic frameworks: Survey and research challenges , 2010, Digit. Investig..

[23]  Heng Wang,et al.  Locality Statistics for Anomaly Detection in Time Series of Graphs , 2013, IEEE Transactions on Signal Processing.

[24]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.