论文信息 - Multidimensional investigation of source port 0 probing

Multidimensional investigation of source port 0 probing

During November 2013, the operational cyber/network security community reported an unprecedented increase of traffic originating from source port 0. This event was deemed as malicious although its core aim and mechanism were obscured. This paper investigates that event using a multifaceted approach that leverages three real network security feeds that we receive on a daily basis, namely, darknet, passive DNS and malware data. The goal is to analyze such event from the perspectives of those feeds in order to generate significant insights and inferences that could contribute to disclosing the inner details of that incident. The approach extracts and subsequently fingerprints such malicious traffic from the received darknet data. By executing unsupervised machine learning techniques on the extracted traffic, we disclose clusters of activities that share similar machinery. Further, by employing a set of statistical-based behavioral analytics, we capture the mechanisms of those clusters, including their strategies, techniques and nature. We consequently correlate the sources with passive DNS in order to investigate their maliciousness. Moreover, to examine if the sources are malware contaminated, we execute a correlation mechanism between the darknet data and the malware feeds. The outcome reveals that such traffic indeed is reconnaissance/probing activities originating from three different horizontal scans utilizing packets with a TCP header length of 0 or packets with odd flag combinations. The results as well demonstrate that 28% of the scanning sources host malicious/blacklisted domains as they are often used for spamming, phishing and other fraud activities. Additionally, the outcome portrays that the bot probing sources are infected by 'Virus.Win32.Sality'. By correlating various evidence, we confirm that such malware specimen is in fact responsible for part of the source port 0 probing event. We concur that this work is a first attempt ever to comprehend the machinery of such unique event and we hope that the community could consider it as a building block for auxiliary analysis and investigation.

[1] Antonio Pescapè,et al. Analysis of a "/0" stealth scan from a botnet , 2015, TNET.

[2] Hari Balakrishnan,et al. Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[3] Mourad Debbabi,et al. On fingerprinting probing activities , 2014, Comput. Secur..

[4] Mourad Debbabi,et al. Cyber Scanning: A Comprehensive Survey , 2014, IEEE Communications Surveys & Tutorials.

[5] Ramesh Govindan,et al. Census and survey of the visible internet , 2008, IMC '08.

[6] Koji Nakao,et al. A Proposal of Malware Distinction Method Based on Scan Patterns Using Spectrum Analysis , 2009, ICONIP.

[7] J. MacQueen. Some methods for classification and analysis of multivariate observations , 1967 .

[8] Zhi-Li Zhang,et al. Identifying and tracking suspicious activities through IP gray space analysis , 2007, MineNet '07.

[9] Ali S. Hadi,et al. Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[10] Eric Wustrow,et al. Internet background radiation revisited , 2010, IMC '10.

[11] Leyla Bilge,et al. EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis , 2011, NDSS.

[12] Steven J. Templeton,et al. Detecting spoofed packets , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[13] Evangelos Kranakis,et al. DNS-based Detection of Scanning Worms in an Enterprise Network , 2005, NDSS.

[14] Vipin Kumar,et al. Gray's anatomy: dissecting scanning activities using IP gray space analysis , 2007 .

[15] Vern Paxson,et al. Automating analysis of large-scale botnet probing events , 2009, ASIACCS '09.

[16] Dmitri Loguinov,et al. Demystifying service discovery: implementing an internet-wide scanner , 2010, IMC '10.

[17] Koji Nakao,et al. Correlation Analysis between Spamming Botnets and Malware Infected Hosts , 2011, 2011 IEEE/IPSJ International Symposium on Applications and the Internet.

[18] Peter J. Rousseeuw,et al. Finding Groups in Data: An Introduction to Cluster Analysis , 1990 .

[19] D. Rubin,et al. Maximum likelihood from incomplete data via the EM - algorithm plus discussions on the paper , 1977 .

[20] D. Inoue,et al. nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis , 2008, 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing.

[21] Riyad Alshammari,et al. Can encrypted traffic be identified without port numbers, IP addresses and payload inspection? , 2011, Comput. Networks.

[22] Nick Feamster,et al. Building a Dynamic Reputation System for DNS , 2010, USENIX Security Symposium.

[23] Wenke Lee,et al. Detecting Malware Domains at the Upper DNS Hierarchy , 2011, USENIX Security Symposium.

[24] Stefan Savage,et al. Network Telescopes: Technical Report , 2004 .

[25] Salvatore J. Stolfo,et al. A quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan , 2010, ACSAC '10.

[26] Farnam Jahanian,et al. The Internet Motion Sensor - A Distributed Blackhole Monitoring System , 2005, NDSS.

[27] Evangelos Kranakis,et al. Addressing SMTP-Based Mass-Mailing Activity within Enterprise Networks , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[28] Nick Feamster,et al. Dynamics of Online Scam Hosting Infrastructure , 2009, PAM.

[29] Koji Nakao,et al. Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring , 2009, IEICE Trans. Inf. Syst..

[30] André Trudel,et al. World's first web census , 2007, Int. J. Web Inf. Syst..

[31] Vern Paxson,et al. Towards Situational Awareness of Large-Scale Botnet Probing Events , 2011, IEEE Transactions on Information Forensics and Security.

[32] Roberto Perdisci,et al. From Throw-Away Traffic to Bots: Detecting the Rise of DGA-Based Malware , 2012, USENIX Security Symposium.

[33] Michel Cukier,et al. An experimental evaluation to determine if port scans are precursors to an attack , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).