Abstract
We use anonymized flow data collected from a 10Gbps backbone link to discover and analyze malicious flow patterns. Even though such data may be rather difficult to interpret, we show how to bootstrap our analysis with a set of malicious hosts to discover more obscure patterns. Our analysis spans from simple attribute aggregates (such as top IP and port numbers) to advanced temporal analysis of communication patterns between normal and malicious hosts. For example, we found some complex communication patterns that possibly lasted for over a week. Furthermore, several malicious hosts were active over the whole data collection period, despite being blacklisted. We also discuss the problems of working with anonymized data. Given that this type of privacy-sensitive backbone data would not be available for analysis without proper anonymization, we show that it can still offer many novel insights, valuable for both network researchers and practitioners.
This work is supported by the Swedish Civil Contingencies Agency (MSB) and SUNET. The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no 257007.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Corrons, L.: Computer Threat Trend Forecast for 2010, http://pandalabs.pandasecurity.com/computer-threat-trend-forecast-for-2010/ (December 2009)
Mueller III, R.S.: Major Executive Speeches, RSA Cyber Security Conference (2010), http://www.fbi.gov/pressrel/speeches/mueller030410.htm
Symantec, AntiVirus, Anti-Spyware, Enpoint Security (2010), http://www.symantec.com
McAfee, Antivirus, IPS, Firewall, Web Security (2010), http://www.mcafee.com
The Honeynet Project, Honeynet Project Blog (2010), http://www.honeynet.org
NoAH, European Network of Affined Honeypots (2010), http://www.fp6-noah.org
DShield, Cooperative Network Security Community - Internet Security (2010), http://www.dshield.com
SANS, Internet Storm Center (2010), http://isc.sans.edu
John, W.: Characterization and Classification of Internet Backbone Traffic. Chalmers University of Technology, Doctoral Thesis (2010) ISBN 978-91-7385-363-7
Fan, J., Xu, J., Ammar, M., Moon, S.: Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme. Computer Networks 46(2) (2004)
Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.: The CoralReef Software Suite as a Tool for System and Network Administrators. In: USENIX LISA (2001)
OptoSUNET, Core Map, http://stats.sunet.se/stat-q/load-map/optosunet-core,,traffic,peak
John, W., Tafvelin, S.: Differences between in- and outbound Internet Backbone Traffic. In: TERENA Networking Conference, TNC (2007)
DShield, Recommended block list (2010), http://www.dshield.org/block.txt
SRI International Malware Threat Center, Most aggressive malware attack source and filters (2010), http://mtc.sri.com/live_data/attackers/
SRI International Malware Threat Center, Most prolific botnet command and control servers and filters (2010), http://mtc.sri.com/live_data/cc_servers/
John, W., Tafvelin, S.: Heuristics to Classify Internet Backbone Traffic based on Connection Patterns. In: Int. Conference on Information Networking, ICOIN (2008)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. CAIDA, Tech.Rep. (2003)
Friedl, S.: An Illustrated Guide to the Kaminsky DNS Vulnerability (2008), http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html
White, G.N.: What’s up with all the port scanning using TCP/6000 as a source port? (2010), http://isc.sans.edu/diary.html?storyid=7924
Allman, M., Paxson, V., Terrell, J.: A Brief History of Scanning. In: Internet Measurement Conference, IMC (2007)
John, W., Tafvelin, S., Olovsson, T.: Trends and Differences in Connection-Behavior within Classes of Internet Backbone Traffic. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 192–201. Springer, Heidelberg (2008)
Moore, D., Shannon, C., Voelker, G., Savage, S.: Network Telescopes. CAIDA, Tech.Rep. (2004)
CAIDA, Research:Security (2010), http://www.caida.org/research/security/#PreviousMalware
Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Internet Measurement Conference, IMC (2004)
Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In: SNDSS (2005)
Sridharan, A., Ye, T., Bhattacharyya, S.: Connectionless Port Scan Detection on the Backbone. In: IPCCC (2006)
Lee, D., Brownlee, N.: Passive Measurement of One-way and Two-way Flow Lifetimes. ACM SIGCOMM Comp. Comm. Rev. 37(3) (2007)
Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš, K., Engel, T.: Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 61–80. Springer, Heidelberg (2009)
Porras, P., Saidi, H., Yegneswaran, V.: An Analysis of Conficker’s Logic and Rendezvous Points. Computer Science Laboratory, SRI International, Tech.Rep. (2009)
Almgren, M., Jonsson, E.: Using Active Learning in Intrusion Detection. In: 17th IEEE Computer Security Foundations Workshop, CSFW 2004 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Almgren, M., John, W. (2012). Tracking Malicious Hosts on a 10Gbps Backbone Link. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-27937-9_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27936-2
Online ISBN: 978-3-642-27937-9
eBook Packages: Computer ScienceComputer Science (R0)