A Characterization of Cybersecurity Posture from Network Telescope Data

Abstract

Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA’s network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims (i.e., telescope IP addresses that are attacked), the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of sweep-time, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers (and attacks) from a certain country dominates the total number of attackers (and attacks) that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope.

Appendices

A Characterization of the Dominance and Periodicity Phenomenon Exhibited by Attackers

Now we quantify the similarity between the two time series via Dynamic Time Warping (DTW), fitted model, and prediction accuracy.

Similarity Based on DTW. Figure 9(a) plots the warping path between the total number attackers in \(D_1\) and the total number of attackers in \(D_2\). The two time series are very similar to each other, except for the time interval [452, 668] as suggested by Figs. 8(a) and (c). Figure 9(b) plots the warping path between the two time series plotted in Fig. 7(a), namely the total number of attackers in \(D_1\) and the total number of attackers from country X in \(D_1\). It shows that the two time series are very similar to each other except during the time interval [455, 630], as suggested by Figs. 8(a) and (b). Figure 9(c) plots the warping path between the two time series plotted in Figs. 8(b) and (d). It shows that the two time series are almost identical to each other, and that the filtering of rarely seen attackers/attacks does not manipulate the periodic structure of the time series of the number of attackers from country X. Figure 9(d) plots the warping path between the two time series plotted in Figs. 8(c) and (d), which indeed are almost identical to each other.

Fig. 9.

DTW statistics between the times series of the total number of attackers and the time series of the number of attackers for country X.

Similarity Based on Fitted Models. Since both the time series exhibit periodicity, we use the multiplicative seasonal ARIMA model to fit the two time series in \(D_1\) and \(D_2\), respectively. The model parameters are: nonseasonal orders (p, d, q), and seasonal orders (P, D, Q), and seasonal period \(s=24\) based on the above discussion of periodicity. For model selection, the parameter sets are:

• \((p,d,q)\in [0,5]\times \{0,1\}\times [0,5]\);

• \((P,D,Q)\in [0,5]\times \{0,1\}\times [0,5]\).

According to the AIC criterion (briefly reviewed in Sect. 3), the two time series in both \(D_1\) and \(D_2\) prefer to the following model:

$$\begin{aligned} W_t= & {} \phi _1 W_{t-1}+e_t+\theta _1 e_{t-1}+\varPhi _1 W_{t-24}+\varPhi _2 W_{t-48}+ \\&\varTheta _1 e_{t-24}+\varTheta _2 e_{t-48}+\varTheta _3 e_{t-96}, \end{aligned}$$

where \(W_t=|A(r;t,t+1)|-|A(r;t-24,t-23)|\). Table 3 summarizes the fitting results. We observe that the two fitted models in \(D_1\) are similar to each other in terms of coefficients, and that the two fitted models in \(D_2\) are almost identical to each other.

Table 3. Coefficients in the fitted models of the total number of attackers and the number of attackers from country X.

Similarity Based on Prediction Accuracy. Table 4 summarizes the PMAD values for 1, 4, 7 and 10 hours ahead-of-time prediction of the number of attackers during the last 96 hours in both \(D_1\) and \(D_2\). For \(D_1\), we observe that 1-h ahead-of-time predictions for the number of attackers from country X and the total number of attackers are reasonably accurate (with PMAD value .093 and .092, or \(9.3\,\%\) and \(9.2\,\%\) prediction error, respectively); whereas the predictions for 4, 7 and 10 hours ahead-of-time are not useful. For \(D_2\), we observe similar prediction results, namely that 1-h ahead-of-time predictions lead to \(7.5\,\%\) prediction error for the total number of attackers and \(9.5\,\%\) prediction error for the number of attackers from country X.

Table 4. PMAD values for \(h=1,4,7,10\) hours ahead-of-time predictions on the total number of attackers and on the number of attackers from country X, as observed by the telescope.

B Further Characterizations on the Inference Errors of Small Telescopes

Inferring the Number of Attackers From Small Telescopes. Similarly, we would like to infer the number of attackers based on small telescopes. Table 5 summarizes the inference errors in terms of the \(\min \), mean, median and \(\max \) PMAD values of all the considered combinations of sample blocks, as well as the standard deviation of the PMAD values. For \(D_1\) and \(B=16\), we observe that 3 small telescopes (out of the 16 telescopes of size \(2^{20}\) IP addresses) would give good approximation of the number of attackers that would be obtained based on the network telescope of size \(2^{24}\). This is because the maximum PMAD value is \(7.34\,\%\). For \(D_2\) and \(B=16\), we observe that using 4 small telescopes of size \(2^{20}\) does not lead to good approximation. For \(B=256\), neither \(D_1\) nor \(D_2\) leads to obtain good enough approximation. These suggest that using significantly small telescopes may not lead to robust results.

Table 5. PMAD-based measurement of the inference error when using b (our of the B) small telescopes to approximate the number of attackers that are observed by the larger /8 telescope, where “SD” stands for standard deviation.

Inferring the Number of Attacks From Small Telescopes. From the perspective of inferring the number of attacks, Table 6 summarizes the inference errors as in the above. For \(D_1\) and \(B=16\), we observe that 3 small telescopes (out of the 16 telescopes of size \(2^{20}\) IP addresses) would give good approximation of the number of attacks that would be obtained based on the larger network telescope of size \(2^{24}\). This is because the maximum PMAD errors is .0761, namely \(7.61\,\%\) approximation error. For \(D_1\) and \(B=256\), the mean approximation error is \(9.58\,\%\) for \(b=5\) (i.e., using 5 small telescopes instead), which is marginally acceptable. For \(D_2\) and \(B=16\), we observe that using 4 small telescopes of size \(2^{20}\) can lead to worst-case approximation error \(8.27\,\%\). For \(D_2\) and \(B=256\), we observe that using 5 small telescopes of size \(2^{16}\) does not lead to good approximation. That is, substantially small telescope may not be as useful as the large telescope.

Table 6. PMAD-based measurement of the inference error when using b (our of the B) small telescopes to approximate the number of attacks observed by the /8 telescope, where “SD” stands for standard deviation.