Darknet Traffic Analysis by Using Source Host Classification

Transcription

1 Computer Security Sympium ober IP IP IP OS 4,96 IP 2 Darknet Traffic Analysis by Using Source Ht Classification Akira Saso Tatsuya Mori Shigeki Goto School of Fundamental Science and Engineering, Waseda University Okubo, Shinjuku-ku, Tokyo , JAPAN {saso,mori}@nsl.cs.waseda.ac.jp,goto@goto.info.waseda.ac.jp Abstract Since all the incoming unidirectional packets destined to Darknet do not consist of payload, information available from packet headers such as time stamp, source IP addresses, destination port numbers, and packet size are commonly used for Darknet traffic analysis. However, information obtained through IP address is limited. For instance, it is not an easy task to differenciate systematic port scans that arrive intermittently from the ones generated by new worm outbreaks. Based on the observation, this work aims to extend the information of source hts by using two techniques: traffic pattern extraction and OS finger printing. Throughe the analysis of Darknet traffic data that is collected from /2 size Darknet for two years, we report several case studies that sucessfully demonstrate the usefulness of our approach (darknet) [1, 2, 3, 4] IP

2 IP IP [1, 2] IP [1, 2] IP IP RIR Geo IP IP TCP ,96 IP 2 (nicter darknet 213 [5]) (1) (2) 3389/TCP 3389/TCP (3) 23/TCP 1 Linux (4) ios /2 ios Moore [1] 23 Slammer Network Telescope Network Telescope Slammer nicter [2]

3 1: ,667,825 2,64, ,575,737 1,288, ,189,234 54, ,173 5, ,796,95 18,69 8 6,562,386 6, ,95,674 56,38 113,1,88 7,564,19 2: IP ( ) Point visitor ( ) d(h) = 1, p(h) = 1 Single-shot (SS) d(h) = 1, p(h) 2 Multi-shot (MS) 2 d(h) 1 Low scanner (LS) 11 d(h) 485 Middle scanner (MS) 486 d(h) < 496 High scanner (HS) d(h) = 496 Full scanner (FS) [6] [3] IP IP Dainotti [4] IP 3: SS 3,764,871 3,764,871 MS 1,381, ,356 LS 9,428,829 2,267,45 MS 42,53, ,448 HS 8,335,668 1,737 FS 47,595,994 8,323 (Win32/Morto) Win32/Morto TCP 3 MWS 213 [7] nicter darknet dataset 213 [5] nicter darknet dataset nicter [2] pcap TCP SQL Remote Desktop Protocol (RDP) h IP d(h) p(h) d(h) p(h) IP FS SS FS.1

4 Nmap [8] IP SS 4 SS Internet Background Radiation (IBR) [9] IP SS 4.2 4: OS OS (TCP/IP stack) 24,688,827 2,989,658 Linux 2.4.x 9,5,473 2,159,861 Windows 7 or 8 2,96, ,1 Linux 2.6.x 6,993, ,625 UNKNOWN 58,946, ,2 Windows NT kernel 3,56, ,856 Linux 2.2.x-3.x 793, ,938 Linux 2.4.x-2.6.x 1,212,71 54,999 Nmap 2,485,664 45,332 Windows NT kernel 5.x 172,189 35,612 Linux 2.2.x-3.x (barebone) 94,342 33,439 Mac OS X 1.x 1,988 15,825 Linux 3.x 877,535 5,25 Linux 2.2.x-3.x (no timestamps) 212,287 2,965 ios iphone or ipad 99, Others 831,765 4,691 OS [1] OS TCP/IP OS TCP OS IDS OS pf [11] 3 2 OS Windows Linux 2.4.x UNKNOWN UNKNOWN pf pf OS TCP/IP UNKNOWN Mac OS X ios OS FS NS Morto SS SS LS

5 3e+5 3e+5 Number of packets 2e+5 1e+5 scan type full high low middle multi shot single shot Number of packets 2e+5 1e+5 Linux 2.4.x UNKNOWN Windows 7 or 8 e+ e+ 4 Number of unique hts 2 1 scan type full high low middle multi shot single shot Number of unique hts 3 2 Linux 2.4.x UNKNOWN Windows 7 or 8 1 1: ( ) ( ) 3: ( ) ( ) 75 Number of unique hts 5 25 Feb Mar May Jun Aug Sep Nov 2: SS Dec Morto 8 SS SS OS

6 7 1 Linux Morto Windows OS Linux UNKNOWN OS [12, 13] TCP/IP OS 6 Number of packets Number of unique hts Feb Mar May Jun Aug Sep Nov Dec no MSS Windows 7 or 8 no MSS Windows 7 or /TCP 3389/TCP Windows OS Morto Morto RDP 3389/TCP nicter Morto TCP SYN /TCP 8 Win32/Morto Windows OS SS Windows OS Morto IP Feb Mar May Jun Aug Sep Nov Dec 4: 3389/TCP ( ) ( ) ( ) [14] 3389/TCP Morto no MSS 3389/TCP FS Morto Windows no MSS pf SYN MSS OS MSS

7 Number of unique hts Feb Mar May Jun Aug Sep Nov Dec Linux 2.2.x 3.x Linux 2.4.x Linux 2.6.x UNKNOWN 5: 23/TCP SS MSS Nmap MSS MSS OS /TCP 3 Linux 23/TCP SS 5 SS 23/TCP Linux 23/TCP SANS [15] Linux IP Linux 23/TCP (telnet) 23/TCP 2 Linux OS Psybt [16] Honeypot OS 6.3 Apple Apple 6 Mac OS X ios Mac OS X ios ios 1 1 (4,96 /2 1 1 ) (1) ios (2) ios (3) ios ios ios 1 ios [17] ios

8 Number of packets Number of unique hts ios iphone or ipad Mac OS X 1.x ios iphone or ipad Mac OS X 1.x 6: Apple ( ) ( ) 7 4,96 2 [1] D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver, Inside the slammer worm, Security & Privacy, IEEE, vol. 1, no. 4, pp , 23. [2] D. Inoue, M. Eto, K. Yhioka, S. Baba, K. Suzuki, J. Nakazato, K. Ohtaka, and K. Nakao, nicter: An incident analysis system toward binding network monitoring with malware analysis, in WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pp , IEEE, 28. [3] A. Shimoda, T. Mori, and S. Goto, Extended darknet: Multi-dimensional internet threat monitoring system., IEICE Transactions, vol. 95-B, no. 6, pp ,. [4] A. Dainotti, R. Amman, E. Aben, and K. Claffy, Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the Internet, ACM SIGCOMM Computer Communication Review (CCR), vol. 42, pp ,. [5] nicter darknet /files/nicterdarknet_Dataset_213.pdf. [6] nicterweb. [7], MWS Datasets 213. MWS iwsec.org/mws/213/, 213. [8] G. F. Lyon, Nmap Network Scanning: The Official Nmap Project Guide to Network Discovery and Security Scanning. USA: Insecure, 29. [9] E. Wustrow, M. Karir, M. Bailey, F. Jahanian, and G. Huston, Internet background radiation revisited, in Proceedings of the 1th ACM SIGCOMM conference on Internet measurement, IMC 1, (New York, NY, USA), pp , ACM, 21. [1] G. Taleck, Ambiguity Resolution via Passive OS Fingerprinting, in Recent Advances in Intrusion Detection, vol. 282, ch. 11, pp , 23. [11] pf. [12],,, and, TCP,, vol. 52, pp , jun. [13] T. Mori, H. Esquivel, A. Akella, A. Shimoda, and S. Goto, Understanding large-scale spamming botnets from internet edge sites, in Proc. of CEAS 21, 21. [14] G. Keizer, New Windows worm spreads by attacking weak passwords. s/article/ /new_windows_worm_spreads_by_ attacking_weak_passwords, Aug. [15] SANS Internet Storm Center, Port details: Port [16] Baume, Terry, Netcomm NB5 Botnet PSYBT 2.5L. info=exlink. [17] Zack Whittaker, WWDC 13: Apple keynote, by the numbers. wwdc-13-apple-keynote-by-the-numbers /