Quantifying the Accuracy of Small Subnet-Equivalent Sampling of IPv4 Internet Background Radiation Datasets

Network telescopes have been used for over a decade to aid in identifying threats by gathering unsolicited network traffic. This Internet Background Radiation (IBR) data has proved to be a significant source of intelligence in combating emerging threats on the Internet at large. Traditionally, operation has required a significant contiguous block of IP addresses. Continued operation of such sensors by researchers and adoption by organisations as part of its operation intelligence is becoming a challenge due to the global shortage of IPv4 addresses. The pressure is on to use allocated IP addresses for operational purposes. Future use of IBR collection methods is likely to be limited to smaller IP address pools, which may not be contiguous. This paper offers a first step towards evaluating the feasibility of such small sensors. An evaluation is conducted of the random sampling of various subnet sized equivalents. The accuracy of observable data is compared against a traditional 'small' IPv4 network telescope using a /24 net-block. Results show that for much of the IBR data, sensors consisting of smaller, non-contiguous blocks of addresses are able to achieve high accuracy rates vs. the base case. While the results obtained given the current nature of IBR, it proves the viability for organisations to utilise free IP addresses within their networks for IBR collection and ultimately the production of Threat intelligence.

[1]  Elias Bou-Harb,et al.  On correlating network traffic for cyber threat intelligence: A Bloom filter approach , 2017, 2017 13th International Wireless Communications and Mobile Computing Conference (IWCMC).

[2]  Charles E. Perkins,et al.  Mobility support in IPv6 , 1996, MobiCom '96.

[3]  Barry Irwin,et al.  Real-time distributed malicious traffic monitoring for honeypots and network telescopes , 2013, 2013 Information Security for South Africa.

[4]  Zhuoqing Morley Mao,et al.  Toward understanding distributed blackhole placement , 2004, WORM '04.

[5]  Farnam Jahanian,et al.  The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[6]  P. Komisarczuk,et al.  Internet background radiation arrival density and network telescope sampling strategies , 2007, 2007 Australasian Telecommunication Networks and Applications Conference.

[7]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[8]  Mourad Debbabi,et al.  Investigating the dark cyberspace: Profiling, threat-based analysis and correlation , 2012, 2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS).

[9]  Barry Irwin A baseline study of potentially malicious activity across five network telescopes , 2013, 2013 5th International Conference on Cyber Conflict (CYCON 2013).

[10]  Vinod Yegneswaran,et al.  On the Design and Use of Internet Sinks for Network Abuse Monitoring , 2004, RAID.

[11]  Heeyoung Kim,et al.  A new metric of absolute percentage error for intermittent demand forecasts , 2016 .

[12]  Barry Irwin,et al.  A network telescope perspective of the Conficker outbreak , 2012, 2012 Information Security for South Africa.

[13]  Jeremy T. Bradley,et al.  Observing Internet Worm and Virus Attacks with a Small Network Telescope , 2006, PASM@FM.

[14]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[15]  Eric Wustrow,et al.  Internet background radiation revisited , 2010, IMC '10.

[16]  Irwin Bvw A framework for the application of network telescope sensors in a global IP network , 2016 .

[17]  Ralph E. Droms,et al.  Dual-Stack Lite Broadband Deployments Following IPv4 Exhaustion , 2011, RFC.

[18]  R.B. Ahmad,et al.  Detecting TCP SYN Flood Attack Based on Anomaly Detection , 2010, 2010 Second International Conference on Network Applications, Protocols and Services.

[19]  N. C. Matalas,et al.  Time series analysis , 1967 .

[20]  Dionissios T. Hristopulos,et al.  Improvement of groundwater level prediction in sparsely gauged basins using physical laws and local geographic features as auxiliary variables , 2013 .

[21]  Rob J Hyndman,et al.  Another look at measures of forecast accuracy , 2006 .