Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

Network reconnaissance is the first step preceding a cyber-attack. Hence, monitoring the probing activities is imperative to help security practitioners enhancing their awareness about Internet’s large-scale events or peculiar events targeting their network. In this paper, we present a framework for an improved and efficient monitoring of the probing activities targeting network telescopes. Particularly, we model the probing rates which are a good indicator for measuring the cyber-security risk targeting network services. The approach consists of first inferring groups of network ports sharing similar probing characteristics through a new affinity metric capturing both temporal and semantic similarities between ports. Then, sequences of probing rates targeting similar ports are used as inputs to stacked Long Short-Term Memory (LSTM) neural networks to predict probing rates 1 hour and 1 day in advance. Finally, we describe two monitoring indicators that use the prediction models to infer anomalous probing traffic and to raise early threat warnings. We show that LSTM networks can accurately predict probing rates, outperforming the non-stationary autoregressive model, and we demonstrate that the monitoring indicators are efficient in assessing the cyber-security risk related to vulnerability disclosure.

[1]  Mourad Debbabi,et al.  Inferring and Investigating IoT-Generated Scanning Campaigns Targeting a Large Network Telescope , 2022, IEEE Transactions on Dependable and Secure Computing.

[2]  Mounir Ghogho,et al.  Detecting the impact of software vulnerability on attacks: A case study of network telescope scans , 2021, J. Netw. Comput. Appl..

[3]  IBM: Cost of a Data Breach Report , 2021, Computer Fraud & Security.

[4]  Kimberly C. Claffy,et al.  Spoofed traffic inference at IXPs: Challenges, methods and analysis , 2020, Comput. Networks.

[5]  Marco Mellia,et al.  Sensing the Noise: Uncovering Communities in Darknet Traffic , 2020, 2020 Mediterranean Communication and Computer Networking Conference (MedComNet).

[6]  Rami Puzis,et al.  DANTE: A framework for mining and monitoring darknet traffic , 2020, ESORICS.

[7]  Nicolas Loeff,et al.  Temporal Fusion Transformers for Interpretable Multi-horizon Time Series Forecasting , 2019, International Journal of Forecasting.

[8]  Mourad Debbabi,et al.  Big Data Sanitization and Cyber Situational Awareness: A Network Telescope Perspective , 2019, IEEE Transactions on Big Data.

[9]  Arthur W. Berger,et al.  Scanning the Scanners: Sensing the Internet from a Massively Distributed Network Telescope , 2019, Internet Measurement Conference.

[10]  Martino Trevisan,et al.  Are Darknets All The Same? On Darknet Visibility for Security Monitoring , 2019, 2019 IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN).

[11]  Jérôme François,et al.  Attacker Behavior-Based Metric for Security Monitoring Applied to Darknet Analysis , 2019, 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM).

[12]  Mounir Ghogho,et al.  Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates , 2018, 2018 IEEE International Conference on Intelligence and Security Informatics (ISI).

[13]  Chadi Assi,et al.  Inferring, Characterizing, and Investigating Internet-Scale Malicious IoT Device Activities: A Network Telescope Perspective , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[14]  Lei Zhu,et al.  Detection of Botnet Activities Through the Lens of a Large-Scale Darknet , 2017, ICONIP.

[15]  Mourad Debbabi,et al.  A Time Series Approach for Inferring Orchestrated Probing Campaigns by Analyzing Darknet Traffic , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[16]  Antonio Pescapè,et al.  Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[17]  Sergey Ioffe,et al.  Batch Normalization: Accelerating Deep Network Training by Reducing Internal Covariate Shift , 2015, ICML.

[18]  J. Alex Halderman,et al.  An Internet-Wide View of Internet-Wide Scanning , 2014, USENIX Security Symposium.

[19]  Razvan Pascanu,et al.  How to Construct Deep Recurrent Neural Networks , 2013, ICLR.

[20]  Mourad Debbabi,et al.  Towards a Forecasting Model for Distributed Denial of Service Activities , 2013, 2013 IEEE 12th International Symposium on Network Computing and Applications.

[21]  Geoffrey E. Hinton,et al.  Speech recognition with deep recurrent neural networks , 2013, 2013 IEEE International Conference on Acoustics, Speech and Signal Processing.

[22]  Barry Irwin,et al.  A network telescope perspective of the Conficker outbreak , 2012, 2012 Information Security for South Africa.

[23]  Russell J. Clark,et al.  Usage-based dhcp lease time optimization , 2007, IMC '07.

[24]  Philip Chan,et al.  Toward accurate dynamic time warping in linear time and space , 2007, Intell. Data Anal..

[25]  David Moore,et al.  The Spread of the Witty Worm , 2004, IEEE Secur. Priv..

[26]  Michael I. Jordan,et al.  On Spectral Clustering: Analysis and an algorithm , 2001, NIPS.

[27]  Jürgen Schmidhuber,et al.  Long Short-Term Memory , 1997, Neural Computation.

[28]  Geoffrey E. Hinton,et al.  Learning representations by back-propagating errors , 1986, Nature.

[29]  Nitish Srivastava,et al.  Dropout: a simple way to prevent neural networks from overfitting , 2014, J. Mach. Learn. Res..

[30]  Stefan Savage,et al.  Network Telescopes: Technical Report , 2004 .

[31]  Sepp Hochreiter,et al.  Untersuchungen zu dynamischen neuronalen Netzen , 1991 .