Title : 
Behavioral analytics for inferring large-scale orchestrated probing events
         
        
            Author : 
Bou-Harb, Elias ; Debbabi, Mourad ; Assi, Chadi
         
        
            Author_Institution : 
NCFTA, Concordia Univ., Montreal, QC, Canada
         
        
        
            fDate : 
April 27 2014-May 2 2014
         
        
        
        
            Abstract : 
The significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, inferring probing events, which are commonly the first stage of any cyber attack, render a promising tactic to achieve that task. We have been receiving for the past three years 12 GB of daily malicious real darknet data (i.e., Internet traffic destined to half a million routable yet unallocated IP addresses) from more than 12 countries. This paper exploits such data to propose a novel approach that aims at capturing the behavior of the probing sources in an attempt to infer their orchestration (i.e., coordination) pattern. The latter defines a recently discovered characteristic of a new phenomenon of probing events that could be ominously leveraged to cause drastic Internet-wide and enterprise impacts as precursors of various cyber attacks. To accomplish its goals, the proposed approach leverages various signal and statistical techniques, information theoretical metrics, fuzzy approaches with real malware traffic and data mining methods. The approach is validated through one use case that arguably proves that a previously analyzed orchestrated probing event from last year is indeed still active, yet operating in a stealthy, very low rate mode. We envision that the proposed approach that is tailored towards darknet data, which is frequently, abundantly and effectively used to generate cyber threat intelligence, could be used by network security analysts, emergency response teams and/or observers of cyber events to infer large-scale orchestrated probing events for early cyber attack warning and notification.
         
        
            Keywords : 
IP networks; Internet; computer network security; data mining; fuzzy set theory; information theory; invasive software; statistical analysis; telecommunication traffic; Internet traffic; coordination pattern; cyber attack; cyber threat intelligence; cyberspace; data mining methods; early cyber attack notification; early cyber attack warning; emergency response teams; fuzzy approaches; information theoretical metrics; large-scale orchestrated probing events; malicious activities; malicious real darknet data; malware traffic; network security analysts; orchestration pattern; routable unallocated IP addresses; signal techniques; statistical techniques; Conferences; IP networks; Internet; Malware; Probes;
         
        
        
        
            Conference_Titel : 
Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on
         
        
            Conference_Location : 
Toronto, ON
         
        
        
            DOI : 
10.1109/INFCOMW.2014.6849283