Visible to the public Behavioral analytics for inferring large-scale orchestrated probing events

TitleBehavioral analytics for inferring large-scale orchestrated probing events
Publication TypeConference Paper
Year of Publication2014
AuthorsBou-Harb, E., Debbabi, M., Assi, C.
Conference NameComputer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on
Date PublishedApril
Keywordscomputer network security, Conferences, coordination pattern, cyber attack, cyber threat intelligence, Cyberspace, data mining, data mining methods, early cyber attack notification, early cyber attack warning, emergency response teams, fuzzy approaches, fuzzy set theory, information theoretical metrics, Information theory, Internet, Internet traffic, invasive software, IP networks, large-scale orchestrated probing events, malicious activities, malicious real darknet data, Malware, malware traffic, network security analysts, orchestration pattern, Probes, routable unallocated IP addresses, signal techniques, statistical analysis, statistical techniques, telecommunication traffic

The significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, inferring probing events, which are commonly the first stage of any cyber attack, render a promising tactic to achieve that task. We have been receiving for the past three years 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable yet unallocated IP addresses) from more than 12 countries. This paper exploits such data to propose a novel approach that aims at capturing the behavior of the probing sources in an attempt to infer their orchestration (i.e., coordination) pattern. The latter defines a recently discovered characteristic of a new phenomenon of probing events that could be ominously leveraged to cause drastic Internet-wide and enterprise impacts as precursors of various cyber attacks. To accomplish its goals, the proposed approach leverages various signal and statistical techniques, information theoretical metrics, fuzzy approaches with real malware traffic and data mining methods. The approach is validated through one use case that arguably proves that a previously analyzed orchestrated probing event from last year is indeed still active, yet operating in a stealthy, very low rate mode. We envision that the proposed approach that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing events for early cyber attack warning and notification.

Citation Key6849283