Multidimensional investigation of source port 0 probing
作者: Elias Bou-Harb , Nour-Eddine Lakhdari , Hamad Binsalleeh , Mourad Debbabi , None
DOI: 10.1016/J.DIIN.2014.05.012
关键词:
摘要: During November 2013, the operational cyber/network security community reported an unprecedented increase of traffic originating from source port 0. This event was deemed as malicious although its core aim and mechanism were obscured. paper investigates that using a multifaceted approach leverages three real network feeds we receive on daily basis, namely, darknet, passive DNS malware data. The goal is to analyze such perspectives those in order generate significant insights inferences could contribute disclosing inner details incident. extracts subsequently fingerprints received darknet By executing unsupervised machine learning techniques extracted traffic, disclose clusters activities share similar machinery. Further, by employing set statistical-based behavioral analytics, capture mechanisms clusters, including their strategies, nature. We consequently correlate sources with investigate maliciousness. Moreover, examine if are contaminated, execute correlation between data feeds. outcome reveals indeed reconnaissance/probing different horizontal scans utilizing packets TCP header length 0 or odd flag combinations. results well demonstrate 28% scanning host malicious/blacklisted domains they often used for spamming, phishing other fraud activities. Additionally, portrays bot probing infected 'Virus.Win32.Sality'. correlating various evidence, confirm specimen fact responsible part event. concur this work first attempt ever comprehend machinery unique hope consider it building block auxiliary analysis investigation.
elsevier.com
sci-hub.se 参考文章(32)
György Simon, Kuai Xu, Vipin Kumar, Zhi-Li Zhang, Yu Jin, Gray's anatomy: dissecting scanning activities using IP gray space analysis usenix workshop on tackling computer systems problems with machine learning techniques. pp. 2- ,(2007)
Paul C. van Oorschot, Evangelos Kranakis, David Whyte, DNS-based Detection of Scanning Worms in an Enterprise Network. network and distributed system security symposium. ,(2005)
David Moore, Colleen Shannon, Geoffrey M Voelker, Stefan Savage, Network Telescopes: Technical Report ,(2004)
Roberto Perdisci, David Dagon, Manos Antonakakis, Nick Feamster, Wenke Lee, Building a dynamic reputation system for DNS usenix security symposium. pp. 18- 18 ,(2010)
Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, David Watson, None, The Internet Motion Sensor - A Distributed Blackhole Monitoring System. network and distributed system security symposium. ,(2005)
Roberto Perdisci, David Dagon, Yacin Nadji, Manos Antonakakis, Nikolaos Vasiloglou, Wenke Lee, Saeed Abu-Nimeh, From throw-away traffic to bots: detecting the rise of DGA-based malware usenix security symposium. pp. 24- 24 ,(2012)
Jaeyeon Jung, V. Paxson, A.W. Berger, H. Balakrishnan, Fast portscan detection using sequential hypothesis testing ieee symposium on security and privacy. pp. 211- 225 ,(2004) , 10.1109/SECPRI.2004.1301325
Maria Konte, Nick Feamster, Jaeyeon Jung, Dynamics of Online Scam Hosting Infrastructure Lecture Notes in Computer Science. pp. 219- 228 ,(2009) , 10.1007/978-3-642-00975-4_22
Masashi Eto, Kotaro Sonoda, Daisuke Inoue, Katsunari Yoshioka, Koji Nakao, A Proposal of Malware Distinction Method Based on Scan Patterns Using Spectrum Analysis international conference on neural information processing. pp. 565- 572 ,(2009) , 10.1007/978-3-642-10684-2_63
Leyla Bilge, Engin Kirda, Christopher Kruegel, Marco Balduzzi, EXPOSURE : Finding malicious domains using passive DNS analysis network and distributed system security symposium. ,(2011)