97 research outputs found
A Characterization of Cybersecurity Posture from Network Telescope Data
Data-driven understanding of cybersecurity posture is an important problem
that has not been adequately explored. In this paper, we analyze some real data
collected by CAIDA's network telescope during the month of March 2013. We
propose to formalize the concept of cybersecurity posture from the perspectives
of three kinds of time series: the number of victims (i.e., telescope IP
addresses that are attacked), the number of attackers that are observed by the
telescope, and the number of attacks that are observed by the telescope.
Characterizing cybersecurity posture therefore becomes investigating the
phenomena and statistical properties exhibited by these time series, and
explaining their cybersecurity meanings. For example, we propose the concept of
{\em sweep-time}, and show that sweep-time should be modeled by stochastic
process, rather than random variable. We report that the number of attackers
(and attacks) from a certain country dominates the total number of attackers
(and attacks) that are observed by the telescope. We also show that
substantially smaller network telescopes might not be as useful as a large
telescope
Detection of Sparse Anomalies in High-Dimensional Network Telescope Signals
Network operators and system administrators are increasingly overwhelmed with
incessant cyber-security threats ranging from malicious network reconnaissance
to attacks such as distributed denial of service and data breaches. A large
number of these attacks could be prevented if the network operators were better
equipped with threat intelligence information that would allow them to block or
throttle nefarious scanning activities. Network telescopes or "darknets" offer
a unique window into observing Internet-wide scanners and other malicious
entities, and they could offer early warning signals to operators that would be
critical for infrastructure protection and/or attack mitigation. A network
telescope consists of unused or "dark" IP spaces that serve no users, and
solely passively observes any Internet traffic destined to the "telescope
sensor" in an attempt to record ubiquitous network scanners, malware that
forage for vulnerable devices, and other dubious activities. Hence, monitoring
network telescopes for timely detection of coordinated and heavy scanning
activities is an important, albeit challenging, task. The challenges mainly
arise due to the non-stationarity and the dynamic nature of Internet traffic
and, more importantly, the fact that one needs to monitor high-dimensional
signals (e.g., all TCP/UDP ports) to search for "sparse" anomalies. We propose
statistical methods to address both challenges in an efficient and "online"
manner; our work is validated both with synthetic data as well as real-world
data from a large network telescope
Chocolatine: Outage Detection for Internet Background Radiation
The Internet is a complex ecosystem composed of thousands of Autonomous
Systems (ASs) operated by independent organizations; each AS having a very
limited view outside its own network. These complexities and limitations impede
network operators to finely pinpoint the causes of service degradation or
disruption when the problem lies outside of their network. In this paper, we
present Chocolatine, a solution to detect remote connectivity loss using
Internet Background Radiation (IBR) through a simple and efficient method. IBR
is unidirectional unsolicited Internet traffic, which is easily observed by
monitoring unused address space. IBR features two remarkable properties: it is
originated worldwide, across diverse ASs, and it is incessant. We show that the
number of IP addresses observed from an AS or a geographical area follows a
periodic pattern. Then, using Seasonal ARIMA to statistically model IBR data,
we predict the number of IPs for the next time window. Significant deviations
from these predictions indicate an outage. We evaluated Chocolatine using data
from the UCSD Network Telescope, operated by CAIDA, with a set of documented
outages. Our experiments show that the proposed methodology achieves a good
trade-off between true-positive rate (90%) and false-positive rate (2%) and
largely outperforms CAIDA's own IBR-based detection method. Furthermore,
performing a comparison against other methods, i.e., with BGP monitoring and
active probing, we observe that Chocolatine shares a large common set of
outages with them in addition to many specific outages that would otherwise go
undetected.Comment: TMA 201
Enlightening the Darknets: Augmenting Darknet Visibility with Active Probes
Darknets collect unsolicited traffic reaching unused address spaces. They provide insights into malicious activities, such as the rise of botnets and DDoS attacks. However, darknets provide a shallow view, as traffic is never responded. Here we quantify how their visibility increases by responding to traffic with interactive responders with increasing levels of interaction. We consider four deployments: Darknets, simple, vertical bound to specific ports, and, a honeypot that responds to all protocols on any port. We contrast these alternatives by analyzing the traffic attracted by each deployment and characterizing how traffic changes throughout the responder lifecycle on the darknet. We show that the deployment of responders increases the value of darknet data by revealing patterns that would otherwise be unobservable. We measure Side-Scan phenomena where once a host starts responding, it attracts traffic to other ports and neighboring addresses. uncovers attacks that darknets and would not observe, e.g. large-scale activity on non-standard ports. And we observe how quickly senders can identify and attack new responders. The “enlightened” part of a darknet brings several benefits and offers opportunities to increase the visibility of sender patterns. This information gain is worth taking advantage of, and we, therefore, recommend that organizations consider this option
Uncovering Vulnerable Industrial Control Systems from the Internet Core
Industrial control systems (ICS) are managed remotely with the help of
dedicated protocols that were originally designed to work in walled gardens.
Many of these protocols have been adapted to Internet transport and support
wide-area communication. ICS now exchange insecure traffic on an inter-domain
level, putting at risk not only common critical infrastructure but also the
Internet ecosystem (e.g., DRDoS~attacks).
In this paper, we uncover unprotected inter-domain ICS traffic at two central
Internet vantage points, an IXP and an ISP. This traffic analysis is correlated
with data from honeypots and Internet-wide scans to separate industrial from
non-industrial ICS traffic. We provide an in-depth view on Internet-wide ICS
communication. Our results can be used i) to create precise filters for
potentially harmful non-industrial ICS traffic, and ii) to detect ICS sending
unprotected inter-domain ICS traffic, being vulnerable to eavesdropping and
traffic manipulation attacks
Assessing Internet-wide Cyber Situational Awareness of Critical Sectors
In this short paper, we take a first step towards empirically assessing Internet-wide malicious activities generated from and targeted towards Internet-scale business sectors (i.e., financial, health, education, etc.) and critical infrastructure (i.e., utilities, manufacturing, government, etc.). Facilitated by an innovative and a collaborative large-scale effort, we have conducted discussions with numerous Internet entities to obtain rare and private information related to allocated IP blocks pertaining to the aforementioned sectors and critical infrastructure. To this end, we employ such information to attribute Internet-scale maliciousness to such sectors and realms, in an attempt to provide an in-depth analysis of the global cyber situational posture. We draw upon close to 16.8 TB of darknet data to infer probing activities (typically generated by malicious/infected hosts) and DDoS backscatter, from which we distill IP addresses of victims. By executing week-long measurements, we observed an alarming number of more than 11,000 probing machines and 300 DDoS attack victims hosted by critical sectors. We also generate rare insights related to the maliciousness of various business sectors, including financial, which typically do not report their hosted and targeted illicit activities for reputation-preservation purposes. While we treat the obtained results with strict confidence due to obvious sensitivity reasons, we postulate that such generated cyber threat intelligence could be shared with sector/critical infrastructure operators, backbone networks and Internet service providers to contribute to the overall threat remediation objective
Are Darknets All The Same? On Darknet Visibility for Security Monitoring
Darknets are sets of IP addresses that are advertised but do not host any client or server. By passively recording the incoming packets, they assist network monitoring activities. Since packets they receive are unsolicited by definition, darknets help to spot misconfigurations as well as important security events, such as the appearance and spread of botnets, DDoS attacks using spoofed IP address, etc. A number of organizations worldwide deploys darknets, ranging from a few dozens of IP addresses to large/8 networks. We here investigate how similar is the visibility of different darknets. By relying on traffic from three darknets deployed in different contintents, we evaluate their exposure in terms of observed events given their allocated IP addresses. The latter is particularly relevant considering the shortage of IPv4 addresses on the Internet. Our results suggest that some well-known facts about darknet visibility seem invariant across deployments, such as the most commonly contacted ports. However, size and location matter. We find significant differences in the observed traffic from darknets deployed in different IP ranges as well as according to the size of the IP range allocated for the monitoring
Cloud Watching: Understanding Attacks Against Cloud-Hosted Services
Cloud computing has dramatically changed service deployment patterns. In this
work, we analyze how attackers identify and target cloud services in contrast
to traditional enterprise networks and network telescopes. Using a diverse set
of cloud honeypots in 5~providers and 23~countries as well as 2~educational
networks and 1~network telescope, we analyze how IP address assignment,
geography, network, and service-port selection, influence what services are
targeted in the cloud. We find that scanners that target cloud compute are
selective: they avoid scanning networks without legitimate services and they
discriminate between geographic regions. Further, attackers mine
Internet-service search engines to find exploitable services and, in some
cases, they avoid targeting IANA-assigned protocols, causing researchers to
misclassify at least 15\% of traffic on select ports. Based on our results, we
derive recommendations for researchers and operators.Comment: Proceedings of the 2023 ACM Internet Measurement Conference (IMC
'23), October 24--26, 2023, Montreal, QC, Canad
- …