Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates

Understanding the properties exhibited by large scale network probing traffic would improve cyber threat intelligence. In addition, the prediction of probing rates is a key feature for security practitioners in their endeavors for making better operational decisions and for enhancing their defense strategy skills. In this work, we study different aspects of the traffic captured by a /20 network telescope. First, we perform an exploratory data analysis of the collected probing activities. The investigation includes probing rates at the port level, services interesting top network probers and the distribution of probing rates by geolocation. Second, we extract the network probers exploration patterns. We model these behaviors using transition graphs decorated with probabilities of switching from a port to another. Finally, we assess the capacity of Non-stationary Autoregressive and Vector Autoregressive models in predicting port probing rates as a first step towards using more robust models for better forecasting performance.Comment: IEEE Intelligence and Security Informatic

Exploratory Data Analysis of a Network Telescope Traffic and Prediction of Port Probing Rates

International audienceUnderstanding the properties exhibited by large scale network probing traffic would improve cyber threat intelligence. In addition, the prediction of probing rates is a key feature for security practitioners in their endeavors for making better operational decisions and for enhancing their defense strategy skills. In this work, we study different aspects of the traffic captured by a /20 network telescope. First, we perform an exploratory data analysis of the collected probing activities. The investigation includes probing rates at the port level, services interesting top network probers and the distribution of probing rates by geolocation. Second, we extract the network probers exploration patterns. We model these behaviors using transition graphs decorated with probabilities of switching from a port to another. Finally, we assess the capacity of Non-stationary Autoregressive and Vector Autoregressive models in predicting port probing rates as a first step towards using more robust models for better forecasting performance

ThreatPredict: From Global Social and Technical Big Data to Cyber Threat Forecast

International audiencePredicting the next threats that may occurs in the Internet is a multifaceted problem as the predictions must be enough precise and given as most as possible in advance to be exploited efficiently, for example to setup defensive measures. The ThreatPredict project aims at building predictive models by integrating exogenous sources of data using machine learning algorithms. This paper reports the most notable results using technical data from security sensors or contextual information about darkweb cyber-criminal markets and data breaches

Monitoring Network Telescopes and Inferring Anomalous Traffic Through the Prediction of Probing Rates

International audienceNetwork reconnaissance is the first step precedinga cyber-attack. Hence, monitoring the probing activities is im-perative to help security practitioners enhancing their awarenessabout Internet’s large-scale events or peculiar events targetingtheir network. In this paper, we present a framework foran improved and efficient monitoring of the probing activi-ties targeting network telescopes. Particularly, we model theprobing rates which are a good indicator for measuring thecyber-security risk targeting network services. The approachconsists of first inferring groups of network ports sharing similarprobing characteristics through a new affinity metric capturingboth temporal and semantic similarities between ports. Then,sequences of probing rates targeting similar ports are used asinputs to stacked Long Short-Term Memory (LSTM) neuralnetworks to predict probing rates 1 hour and 1 day in advance.Finally, we describe two monitoring indicators that use theprediction models to infer anomalous probing traffic and toraise early threat warnings. We show that LSTM networkscan accurately predict probing rates, outperforming the non-stationary autoregressive model, and we demonstrate that themonitoring indicators are efficient in assessing the cyber-securityrisk related to vulnerability disclosur

An exploration of the overlap between open source threat intelligence and active internet background radiation

Organisations and individuals are facing increasing persistent threats on the Internet from worms, port scanners, and malicious software (malware). These threats are constantly evolving as attack techniques are discovered. To aid in the detection and prevention of such threats, and to stay ahead of the adversaries conducting the attacks, security specialists are utilising Threat Intelligence (TI) data in their defense strategies. TI data can be obtained from a variety of different sources such as private routers, firewall logs, public archives, and public or private network telescopes. However, at the rate and ease at which TI is produced and published, specifically Open Source Threat Intelligence (OSINT), the quality is dropping, resulting in fragmented, context-less and variable data. This research utilised two sets of TI data, a collection of OSINT and active Internet Background Radiation (IBR). The data was collected over a period of 12 months, from 37 publicly available OSINT datasets and five IBR datasets. Through the identification and analysis of common data between the OSINT and IBR datasets, this research was able to gain insight into how effective OSINT is at detecting and potentially reducing ongoing malicious Internet traffic. As part of this research, a minimal framework for the collection, processing/analysis, and distribution of OSINT was developed and tested. The research focused on exploring areas in common between the two datasets, with the intention of creating an enriched, contextualised, and reduced set of malicious source IP addresses that could be published for consumers to use in their own environment. The findings of this research pointed towards a persistent group of IP addresses observed on both datasets, over the period under research. Using these persistent IP addresses, the research was able to identify specific services being targeted. Amongst these persistent IP addresses were significant packets from Mirai like IoT Malware on port 23/tcp and 2323/tcp as well as general scanning activity on port 445/TCP

Evaluation of the effectiveness of small aperture network telescopes as IBR data sources

The use of network telescopes to collect unsolicited network traffic by monitoring unallocated address space has been in existence for over two decades. Past research has shown that there is a lot of activity happening in this unallocated space that needs monitoring as it carries threat intelligence data that has proven to be very useful in the security field. Prior to the emergence of the Internet of Things (IoT), commercialisation of IP addresses and widespread of mobile devices, there was a large pool of IPv4 addresses and thus reserving IPv4 addresses to be used for monitoring unsolicited activities going in the unallocated space was not a problem. Now, preservation of such IPv4 addresses just for monitoring is increasingly difficult as there is not enough free addresses in the IPv4 address space to be used for just monitoring. This is the case because such monitoring is seen as a ’non-productive’ use of the IP addresses. This research addresses the problem brought forth by this IPv4 address space exhaustion in relation to Internet Background Radiation (IBR) monitoring. In order to address the research questions, this research developed four mathematical models: Absolute Mean Accuracy Percentage Score (AMAPS), Symmetric Absolute Mean Accuracy Percentage Score (SAMAPS), Standardised Mean Absolute Error (SMAE), and Standardised Mean Absolute Scaled Error (SMASE). These models are used to evaluate the research objectives and quantify the variations that exist between different samples. The sample sizes represent different lens sizes of the telescopes. The study has brought to light a time series plot that shows the expected proportion of unique source IP addresses collected over time. The study also imputed data using the smaller /24 IPv4 net-block subnets to regenerate the missing data points using bootstrapping to create confidence intervals (CI). The findings from the simulated data supports the findings computed from the models. The CI offers a boost to decision making. Through a series of experiments with monthly and quarterly datasets, the study proposed a 95% - 99% confidence level to be used. It was known that large network telescopes collect more threat intelligence data than small-sized network telescopes, however, no study, to the best of our knowledge, has ever quantified such a knowledge gap. With the findings from the study, small-sized network telescope users can now use their network telescopes with full knowledge of gap that exists in the data collected between different network telescopes.Thesis (PhD) -- Faculty of Science, Computer Science, 202

An Airspace Simulator for Separation Management Research

Air Traffic Management (ATM) systems are undergoing a period of major transformation and modernisation, requiring and enabling new separation management (SM) methods. Many novel SM functions, roles and concepts are being explored using ATM simulators. Commercial simulators are capable, high-fidelity tools, but tend to be complex and inaccessible. The Airspace Simulator is a fast-time, discrete event simulator originally designed for exploratory ATM research. This thesis describes the redevelopment of the Airspace Simulator into a simulation platform better suited for researching and evaluating SM in future airspace. The Airspace Simulator-II has the advantage of new functionality and greater fidelity, while remaining high-speed, accessible and readily adaptable. The simulator models FMS-like spherical earth navigation and autopilot flight control with an average cross track error of 0.05 nmi for waypoint-defined routes in variable wind-fields. Trajectories are computed using the BADA v3.8 tabulated database to model the performance of 318 aircraft types. The simulator was demonstrated with up to 4000 total aircraft, and trajectories for 300 simultaneous aircraft were computed over 900 times faster than real-time. Datalink and radio-telephony communications are modelled between the air traffic and ATM systems. Surveillance is provided through ADS-B-like broadcasts, and an algorithm was developed to automatically merge instructions from conflict resolution systems with existing flight plans. Alternate communication, navigation, and separation modes were designed to permit the study of mixed-mode operations. Errors due to wind, navigational wander, communication latencies, and localised information states are modelled to facilitate research into the robustness of SM systems. The simulator incorporates a traffic visualisation tool and was networked to conflict detection and resolution software through a TCP/IP connection. A scenario generator was designed to automatically prepare flight plans for a large variety of two-aircraft encounters to support stochastic SM experiments. The simulator, scenario generator, and resolver were used for the preliminary analysis of a novel concept for automated SM over radio-telephony using progressive track angle vectoring

Aeronautics and space report of the president, 1974 activities

The U.S. Government activities for 1974 in aeronautics and space are presented. Significant contributions toward the fulfillment of the nation's goals in space and aeronautics are covered, including application of space systems and technology to beneficial uses on earth, exploration of space and increase of scientific knowledge, development of improved space systems and technology, international cooperation, and advancement of civil and military aeronautics. Also in 1974, space activities in the private sector expanded to provide additional services to the public. The accomplishments are summarized

Research and Technology, 1989

Selected research and technology activities at Ames Research Center, including the Moffett Field site and the Dryden Flight Research Facility, are summarized. These accomplishments exemplify the Center's varied and highly productive research efforts for 1989