Abstract
Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA’s network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims (i.e., telescope IP addresses that are attacked), the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of sweep-time, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers (and attacks) from a certain country dominates the total number of attackers (and attacks) that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
We were fortunate to see the real, rather than anonymized, attacker IP addresses, which allowed us to aggregate the attackers based on their country code. Our study was approved by IRB.
References
Allman, M., Paxson, V., Terrell, J.: A brief history of scanning. In: Proceedings of ACM IMC 2007, pp. 77–82 (2007)
Armstrong, J.S.: Principles of Forecasting: A Handbook for Researchers and Practitioners, vol. 30. Springer, New York (2001)
Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: Proceedings of 2006 Annual Conference on Information Sciences and Systems, pp. 1496–1501 (2006)
Bailey, M., Cooke, E., Jahanian, F., Watson, D.: The blaster worm: then and now. IEEE Secur. Priv. 3(4), 26–31 (2005)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The internet motion sensor-a distributed blackhole monitoring system. In: Proceedings of NDSS 2005 (2005)
Barford, P., Chen, Y., Goyal, A., Li, Z., Paxson, V., Yegneswaran, V.: Employing honeynets for network situational awareness. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness. Advances in Information Security, vol. 46, pp. 71–102. Springer, New York (2010)
Brownlee, N.: One-way traffic monitoring with iatmon. In: Proceedings of PAM 2012, pp. 179–188 (2012)
Claffy, K., Braun, H., Polyzos, G.: A parameterizable methodology for internet traffic flow profiling. IEEE J. Sel. Areas Commun. 13(8), 1481–1494 (1995)
Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-law distributions in empirical data. SIAM Rev. 51(4), 661–703 (2009)
Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of ACM Worm 2004, pp. 54–64 (2004)
Cryer, J., Chan, K.: Time Series Analysis With Applications in R. Springer, New York (2008)
Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Proceedings of ACM IMC 2012, pp. 1–14 (2012)
Engle, R.F.: Autoregressive conditional heteroscedasticity with estimates of the variance of united kingdom inflation. Econometrica: J. Econometric Soc. 50(4), 987–1007 (1982)
Giorgino, T.: Computing and visualizing dynamic time warping alignments in R: the dtw package. J. Stat. Softw. 31(7), 1–24 (2009)
Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proceedings of ACM IMC 2012, pp. 37–50 (2012)
Gringoli, F., Salgarelli, L., Dusi, M., Cascarano, N., Risso, F., Claffy, K.: Gt: picking up the truth from the ground for internet traffic. SIGCOMM Comput. Commun. Rev. 39(5), 12–18 (2009)
Hussain, A., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: Proceedings of ACM SIGCOMM 2003, pp. 99–110 (2003)
Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev. 34(1), 51–56 (2004)
Lau, F., Rubin, S.H., Smith, M.H., Trajkovic, L.: Distributed denial of service attacks. In: Proceedings of 2000 IEEE International Conference on Systems, Man, and Cybernetics, vol. 3, pp. 2275–2280 (2000)
Lee, D.J., Brownlee, N.: Passive measurement of one-way and two-way flow lifetimes. SIGCOMM Comput. Commun. Rev. 37(3), 17–28 (2007)
Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur. 6(1), 175–188 (2011)
Li, Z., Goyal, A., Chen, Y., Kuzmanovic, A.: Measurement and diagnosis of address misconfigured p2p traffic. IEEE Netw. 25(3), 22–28 (2011)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Secur. Priv. 1(4), 33–39 (2003)
Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2), 115–139 (2006)
Moore, D., Shannon, C., Brown, J.: Code-red: a case study on the spread and victims of an Internet worm. In: Proceedings of ACM IMW 2002, pp. 273–284 (2002)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes, Technical report. Department of Computer Science and Engineering, University of California, San Diego (2004)
Neter, J., Kutner, M.H., Nachtsheim, C.J., Wasserman, W.: Applied linear statistical models, vol. 4. Irwin, Chicago (1996)
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of ACM IMC 2004, pp. 27–40 (2004)
Provos, N.: A virtual honeypot framework. In: Proceedings of USENIX Security Symposium, pp. 1–14 (2004)
Shannon, C., Moore, D.: The spread of the witty worm. IEEE Secur. Priv. 2(4), 46–50 (2004)
CAIDA UCSD Network Telescope. http://www.caida.org/
CAIDA UCSD Network Telescope. http://www.caida.org/tools/measurement/corsaro/docs/plugins.html
Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw. 19(5), 1396–1404 (2011)
Tsay, R.S.: Analysis of Financial Time Series. Wiley, New york (2010)
Weiler, N.: Honeypots for distributed denial-of-service attacks. In: Proceedings of IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET-ICE 2002), pp. 109–114 (2002)
Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of ACM IMC 2010, pp. 62–74 (2010)
Yegneswaran, V., Giffin, J., Barford, P., Jha, S.: An architecture for generating semantic aware signatures. In: Proceedings of Usenix Security Symposium (2005)
Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004)
Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of ACM SIGMETRICS 2003, pp. 138–147 (2003)
Zhan, Z., Xu, M., Xu, S.: Characterizing honeypot-captured cyber attacks: statistical framework and case study. IEEE Trans. Inf. Forensics Secur. 8(11), 1775–1789 (2013)
Acknowledgement
We thank CAIDA for sharing with us the data analyzed in the paper. This work was supported in part by ARO Grant #W911NF-13-1-0141 and NSF Grant #1111925.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Characterization of the Dominance and Periodicity Phenomenon Exhibited by Attackers
Now we quantify the similarity between the two time series via Dynamic Time Warping (DTW), fitted model, and prediction accuracy.
Similarity Based on DTW. Figure 9(a) plots the warping path between the total number attackers in \(D_1\) and the total number of attackers in \(D_2\). The two time series are very similar to each other, except for the time interval [452, 668] as suggested by Figs. 8(a) and (c). Figure 9(b) plots the warping path between the two time series plotted in Fig. 7(a), namely the total number of attackers in \(D_1\) and the total number of attackers from country X in \(D_1\). It shows that the two time series are very similar to each other except during the time interval [455, 630], as suggested by Figs. 8(a) and (b). Figure 9(c) plots the warping path between the two time series plotted in Figs. 8(b) and (d). It shows that the two time series are almost identical to each other, and that the filtering of rarely seen attackers/attacks does not manipulate the periodic structure of the time series of the number of attackers from country X. Figure 9(d) plots the warping path between the two time series plotted in Figs. 8(c) and (d), which indeed are almost identical to each other.
Similarity Based on Fitted Models. Since both the time series exhibit periodicity, we use the multiplicative seasonal ARIMA model to fit the two time series in \(D_1\) and \(D_2\), respectively. The model parameters are: nonseasonal orders (p, d, q), and seasonal orders (P, D, Q), and seasonal period \(s=24\) based on the above discussion of periodicity. For model selection, the parameter sets are:
-
\((p,d,q)\in [0,5]\times \{0,1\}\times [0,5]\);
-
\((P,D,Q)\in [0,5]\times \{0,1\}\times [0,5]\).
According to the AIC criterion (briefly reviewed in Sect. 3), the two time series in both \(D_1\) and \(D_2\) prefer to the following model:
where \(W_t=|A(r;t,t+1)|-|A(r;t-24,t-23)|\). Table 3 summarizes the fitting results. We observe that the two fitted models in \(D_1\) are similar to each other in terms of coefficients, and that the two fitted models in \(D_2\) are almost identical to each other.
Similarity Based on Prediction Accuracy. Table 4 summarizes the PMAD values for 1, 4, 7 and 10 hours ahead-of-time prediction of the number of attackers during the last 96 hours in both \(D_1\) and \(D_2\). For \(D_1\), we observe that 1-h ahead-of-time predictions for the number of attackers from country X and the total number of attackers are reasonably accurate (with PMAD value .093 and .092, or \(9.3\,\%\) and \(9.2\,\%\) prediction error, respectively); whereas the predictions for 4, 7 and 10 hours ahead-of-time are not useful. For \(D_2\), we observe similar prediction results, namely that 1-h ahead-of-time predictions lead to \(7.5\,\%\) prediction error for the total number of attackers and \(9.5\,\%\) prediction error for the number of attackers from country X.
B Further Characterizations on the Inference Errors of Small Telescopes
Inferring the Number of Attackers From Small Telescopes. Similarly, we would like to infer the number of attackers based on small telescopes. Table 5 summarizes the inference errors in terms of the \(\min \), mean, median and \(\max \) PMAD values of all the considered combinations of sample blocks, as well as the standard deviation of the PMAD values. For \(D_1\) and \(B=16\), we observe that 3 small telescopes (out of the 16 telescopes of size \(2^{20}\) IP addresses) would give good approximation of the number of attackers that would be obtained based on the network telescope of size \(2^{24}\). This is because the maximum PMAD value is \(7.34\,\%\). For \(D_2\) and \(B=16\), we observe that using 4 small telescopes of size \(2^{20}\) does not lead to good approximation. For \(B=256\), neither \(D_1\) nor \(D_2\) leads to obtain good enough approximation. These suggest that using significantly small telescopes may not lead to robust results.
Inferring the Number of Attacks From Small Telescopes. From the perspective of inferring the number of attacks, Table 6 summarizes the inference errors as in the above. For \(D_1\) and \(B=16\), we observe that 3 small telescopes (out of the 16 telescopes of size \(2^{20}\) IP addresses) would give good approximation of the number of attacks that would be obtained based on the larger network telescope of size \(2^{24}\). This is because the maximum PMAD errors is .0761, namely \(7.61\,\%\) approximation error. For \(D_1\) and \(B=256\), the mean approximation error is \(9.58\,\%\) for \(b=5\) (i.e., using 5 small telescopes instead), which is marginally acceptable. For \(D_2\) and \(B=16\), we observe that using 4 small telescopes of size \(2^{20}\) can lead to worst-case approximation error \(8.27\,\%\). For \(D_2\) and \(B=256\), we observe that using 5 small telescopes of size \(2^{16}\) does not lead to good approximation. That is, substantially small telescope may not be as useful as the large telescope.
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhan, Z., Xu, M., Xu, S. (2015). A Characterization of Cybersecurity Posture from Network Telescope Data. In: Yung, M., Zhu, L., Yang, Y. (eds) Trusted Systems. INTRUST 2014. Lecture Notes in Computer Science(), vol 9473. Springer, Cham. https://doi.org/10.1007/978-3-319-27998-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-319-27998-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-27997-8
Online ISBN: 978-3-319-27998-5
eBook Packages: Computer ScienceComputer Science (R0)