Multidimensional Investigation of Source Port 0 Probing

Similar documents
Overview of nicter - R&D project against Cyber Attacks in Japan -

Security activities in Japan towards the future standardization. Cybersecurity

Categories of Digital Investigation Analysis Techniques Based On The Computer History Model

A Functional Reference Model of Passive Network Origin Identification

A Time Series Approach for Inferring Orchestrated Probing Campaigns by Analyzing Darknet Traffic

Extracting Hidden Messages in Steganographic Images

Developing a New Digital Forensics Curriculum

A Correlation Method for Establishing Provenance of Timestamps in Digital Evidence

A Framework for Attack Patterns Discovery in Honeynet Data

System for the Proactive, Continuous, and Efficient Collection of Digital Forensic Evidence

Leveraging CybOX to Standardize Representation and Exchange of Digital Forensic Information

Unification of Digital Evidence from Disparate Sources

BinComp: A Stratified Approach to Compiler Provenance Attribution

Monitoring Access to Shared Memory-Mapped Files

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

A Novel Approach of Mining Write-Prints for Authorship Attribution in Forensics

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Design Tradeoffs for Developing Fragmented Video Carving Tools

A Statistical Approach for Fingerprinting Probing Activities

Mapping Internet Sensors with Probe Response Attacks

Ranking Algorithms For Digital Forensic String Search Hits

Scanning. Course Learning Outcomes for Unit III. Reading Assignment. Unit Lesson UNIT III STUDY GUIDE

An Evaluation Platform for Forensic Memory Acquisition Software

Global DDoS Measurements. Jose Nazario, Ph.D. NSF CyberTrust Workshop

IPS with isensor sees, identifies and blocks more malicious traffic than other IPS solutions

Croatian National CERT ACDC project Darko Perhoc, Head of National CERT CISSP, CEH, CCNP Security R&S,CCDP

Intelligent and Secure Network

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Honeynets and Digital Forensics

Privacy-Preserving Forensics

On Criteria for Evaluating Similarity Digest Schemes

Fast and Evasive Attacks: Highlighting the Challenges Ahead

WHITE PAPER HIGH-FIDELITY THREAT INTELLIGENCE: UNDERSTANDING FALSE POSITIVES IN A MULTI-LAYER SECURITY STRATEGY

Developing the Sensor Capability in Cyber Security

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Corrigendum 3. Tender Number: 10/ dated

Rapid Forensic Imaging of Large Disks with Sifting Collectors

2nd SIG-NOC meeting and DDoS Mitigation Workshop Scrubbing Away DDOS Attacks. 9 th November 2015

Demystifying Service Discovery: Implementing an Internet-Wide Scanner

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Prolexic Attack Report Q4 2011

Mapping Internet Sensors with Probe Response Attacks

JPCERT/CC Internet Threat Monitoring Report [July 1, September 30, 2016]

Avoiding Information Overload: Automated Data Processing with n6

Fast Indexing Strategies for Robust Image Hashes

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Basic Concepts in Intrusion Detection

Synchronized Security

Black and White Lists

With turing you can: Identify, locate and mitigate the effects of botnets or other malware abusing your infrastructure

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

OUTSMART ADVANCED CYBER ATTACKS WITH AN INTELLIGENCE-DRIVEN SECURITY OPERATIONS CENTER

The Normalized Compression Distance as a File Fragment Classifier

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

The Interactive Guide to Protecting Your Election Website

Automating Security Response based on Internet Reputation

the Breakdown of Perimeter Defenses

RSA Web Threat Detection

3-4 DAEDALUS: Practical Alert System Based on Large-scale Darknet Monitoring for Protecting Live Networks

Endpoint Protection : Last line of defense?

Storage Efficient Capturing of Port Scanning Attack Traffic

From Correlation to Causation: Active Delay Injection for Service Dependency Detection

Network Intrusion Analysis (Hands on)

CYBERSPACE is the electronic world created by

Automated Identification of Installed Malicious Android Applications

Module 19 : Threats in Network What makes a Network Vulnerable?

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Intrusion Detection - Snort

The GenCyber Program. By Chris Ralph

Designing Robustness and Resilience in Digital Investigation Laboratories

The following topics describe how to configure correlation policies and rules.

ECESSA / TRACKING DOWN MALICIOUS TRAFFIC

Cyber War Chronicles Stories from the Virtual Trenches

Network Security. Kitisak Jirawannakool Electronics Government Agency (public organisation)

Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone

Malware Research at SMU. Tom Chen SMU

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

DNSSM: A Large Scale Passive DNS Security Monitoring Framework

Can Digital Evidence Endure the Test of Time?

Table of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Identifying Spoofed Packets Origin using Hop Count Filtering and Defence Mechanisms against Spoofing Attacks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Cisco Firepower NGFW. Anticipate, block, and respond to threats

PALANTIR CYBERMESH INTRODUCTION

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

UTM 5000 WannaCry Technote

Detecting Specific Threats

May the (IBM) X-Force Be With You

IRONSCALES Federation Combines Human Intelligence with Machine Learning to Discover & Stop Spear-Phishing Attacks

Information Security Specialist. IPS effectiveness

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

File Classification Using Sub-Sequence Kernels

Firewalls, Tunnels, and Network Intrusion Detection

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

CAT Detect: A Tool for Detecting Inconsistency in Computer Activity Timelines

Chapter 2 Malicious Networks for DDoS Attacks

Technical Brochure F-SECURE THREAT SHIELD

9. Security. Safeguard Engine. Safeguard Engine Settings

Transcription:

DIGITAL FORENSIC RESEARCH CONFERENCE Multidimensional Investigation of Source Port 0 Probing By Elias Bou-Harb, Nour-Eddine Lakhdari, Hamad Binsalleeh and Mourad Debbabi Presented At The Digital Forensic Research Conference DFRWS 2014 USA Denver, CO (Aug 3 rd - 6 th ) DFRWS is dedicated to the sharing of knowledge and ideas about digital forensics research. Ever since it organized the first open workshop devoted to digital forensics in 2001, DFRWS continues to bring academics and practitioners together in an informal environment. As a non-profit, volunteer organization, DFRWS sponsors technical working groups, annual conferences and challenges to help drive the direction of research and development. http:/dfrws.org

National Cyber-Forensics and Training Alliance CANADA MULTIDIMENSIONAL INVESTIGATION OF SOURCE PORT 0 PROBING Elias Bou-Harb, Nour-Eddine Lakhdari, Hamad Binsalleeh and Mourad Debbabi August 6, 2014 The 14 th Annual DFRWS Conference

2 Motivation

3 Motivation

Motivation 4! Attacks on cyber physical systems rose 52% in 2013! The surge of severe DDoS attacks

Motivation 5 Daily tens of thousands of threats (NCFTA Canada 2014)

Motivation 6! Probing: " Scan organizational networks or Internet wide services " Primary stage of an intrusion attempt " Facilitates more than 50% of cyber attacks! Large-scale orchestrated probing campaigns

The event 7! Traffic originating from TCP source port 0! Investigated on November 24th and 25th, 2014 Inferred & Validated by Internet Storm Center (ISC)

Objectives 8! Investigate the nature of such unprecedented increase of traffic originating from source port 0! Infer the maliciousness of the sources! Attribute the event to a certain malware infection

Approach 9 Darknet Analysis Passive DNS Correlation Malware Data Correlation

10 Darknet

11 Passive DNS

Approach 12 Darknet Analysis Passive DNS Correlation Malware Data Correlation # Traffic Extraction by filtering traffic that employs TCP source port 0 # Misconfiguration Filtering to exclude darknet noise # Traffic Fingerprinting to distinguish between probing and backscattered traffic # Traffic Clustering to reveal sources possessing similar traffic patterns # Behavioral Analytics to infer the strategies, natures and mechanisms of the sources

Traffic Fingerprinting Technique 13! Observation: " Probing techniques (TCP SYN, UDP, ACK, etc.) demonstrate a similar temporal correlation and similarity when generating their corresponding probing traffic

Traffic Fingerprinting Technique 14! Detrended Fluctuation Analysis (DFA) " To determine the statistical self-affinity of a signal " Excessively used in medicine, economy and geology " 2 works related to cyber security, none related to probing! The fluctuations are characterized by a scaling exponent α: - α < 0.5: anti-correlated - α 0.5: uncorrelated or white noise - α > 0.5: correlated - α 1: 1/f-noise or pink noise - α > 1: non-stationary, random walk like, unbounded - α 1.5: Brownian noise

15 Traffic Fingerprinting Technique

Traffic Fingerprinting Technique 16 Start Traffic Time Series St Algorithm 1 Starting Location DFA Probing Distributions Does St refer to probing Yes Inferred Probing Time Series Algorithm 2 Inferred Probing Technique No

Traffic Fingerprinting Technique 17 Start Traffic Time Series St Algorithm 1 Starting Location DFA Probing Distributions Does St refer to probing Yes Inferred Probing Time Series Algorithm 2 Inferred Probing Technique No

18 Traffic Clustering

Behavioral Analytics 19 Statistical, heuristical, entropy, fuzzy hashing techniques! Is the probing traffic random or does it follow a certain pattern?! How are the targets being probed?! What is the nature of the probing source?! Is the probing targeted or dispersed?

Darknet Inferences 20! Peak: " Generating more than 1 million packets " Similar traffic from other days is less than 1000 packets " 97% of traffic refer to probing activities! Overlapping observations by ISC and NCFTA: " The TTL of the packets changes with source IP address " Packets with a TCP header length of 0 or packets with odd flag combinations (i.e., URG, PSH, Reserved) " The packets arrival rate is slow, way far from DDoS levels " Xmas Tree-like probing in most TCP flags

Darknet Inferences: Probing Sources 21! Originating from! 27 unique sources! 17 countries! 24 ISPs! 25 organizations

Darknet Inferences: Probing Sources 22 IP concentration

Darknet Inferences: Targeted Ports 23! Port 0 from X.X.X.163, the sole German IP: 813 thousand packets/destinations! Port 445: 8952 packets! Port 22: 7080 packets! Port 3389: 5606 packets! > 60,000 ports from X.X.X.201, the sole Dutch IP

Darknet Inferences: Traffic Similarity 24! One cluster for the horizontal scan on port 0 from the German IP! Another cluster for the horizontal scan on > 60 thousand ports from the Dutch IP! Another cluster for probing on other ports such as 445, 22 and 3389! Last cluster represents misconfigurations/malformed packets

Darknet Inferences: Behavioral Analytics 25! Probing clusters 1 and 2:! random probing traffic as opposed to using patterns! sequential strategy! probing tool! Probing cluster 3:! pattern usage! permutation strategy! bots

Approach 26 Darknet Analysis Passive DNS Correlation Malware Data Correlation # Hosting capability to infer malicious domains affiliated with the sources # Intensity to detect accessibility and involvement # Aliveness to verify the effectiveness of the malicious domains

Passive DNS Inferences 27 # 513 to 110 thousand hosted domains per the probing IPs # 28% of the probing IPs are hosting blacklisted/malicious domains

Passive DNS Inferences 28 Half of the malicious domains could be attributed to malware activities

Passive DNS Inferences 29 # Some malicious domains are very effective; high access count and low active days # Domains with prolonged active days provide back-end services to others malicious activities

Approach 30 Darknet Analysis Passive DNS Correlation Malware Data Correlation # Machine infection to deduce malware samples that infect the sources # Malware Attribution to infer the malware samples that generate such traffic

Malware Inferences 31 Virus.Win32.Sality is the common factor

Summary 32! Traffic is indeed reconnaissance/probing activities originating from three different horizontal scans! 28% of the scanning sources host malicious/blacklisted domains as they are often used for spamming, phishing and other fraud activities! Bot probing sources (i.e., probing cluster 3) are infected by Virus.Win32.Sality

Outcome 33! Devised a generic approach that could be applied to analyze other cyber events with similar nature! Demonstrated the value added of employing! Databases of cyber security data (darknet, passive dns and malware)! Tools and APIs that can effectively utilize the data! Permitted prompt data analysis to support investigation of cyber events

Acknowledgement 34! Research members of the NCFTA Canada lab headed by Prof. Mourad Debbabi! Natural Sciences and Engineering Research Council of Canada (NSERC)

Questions Elias Bou-Harb Ph.D. Candidate Cyber Security R&D e_bouh@encs.concordia.ca

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback