DUST 2012 - 1st International Workshop on Darkspace and UnSolicited Traffic Analysis : Talk Abstracts
|Nevil Brownlee (University of Auckland)||
Talk Title: iatmon
Talk Abstract: iatmon (Inter-Arrival Time Monitor) is a measurement and analysis tool that separates one-way traffic into clearly-defined subsets. Initially it implements two subsetting schemes; source types, based on flow characteristics; and inter-arrival-time (IAT) groups, that summarise source behaviour over time. iatmon uses 14 types and 10 groups, giving us a matrix of 140 source subsets, and allowing changes within the subsets to be clearly seen. We have used iatmon to produce hourly summaries of one-way traffic to the UCSD Network Telescope since 3 Jan 2011.
Nevil will also present some more recent work on one-way traffic reaching the U Auckland network; this is an active network with IPv6 as well as IPv4 traffic, and most of its traffic is two-way. Filtering out the two-way traffic has required careful study of how its flows behave, yielding some unexpected results.
|Casey Deccio (Sandia)||
Talk Title: Turning Down the Lights - Darknet Deployment Lessons Learned
Talk Abstract: Sandia has recently partnered with APNIC to announce the 2400::/12 IPv6 darknet to observe and learn more about activity in unallocated address space. In this talk we discuss the challenges and successes with enabling a darknet collector.
|Xenofontas Dimitropoulos (ETH Zürich)||
Talk Title: Classifying Internet One-way Traffic
Talk Abstract: Internet traffic includes a component of unproductive incessant noise resulting from scanning, backscatter, misconfigurations, etc., that is called Internet background radiation. Most previous work has studied background radiation to network telescopes, i.e., large unused IP address blocks that receive only background radiation. In this work, we study background radiation towards a large live network using a massive data-set of unsampled flow records that summarizes 5.23 petabytes of traffic collected between 2004 and 2010. We first observe that one-way traffic makes between 34% and 67% of the total number of flows. We then introduce heuristics for the challenging problem of classifying one-way traffic solely based on flow data into a set of useful classes, including the classes of unreachable services, peer-to-peer traffic, scanning, and backscatter. We validate our classifier and show that the particularly interesting class of unreachable services helps to timely detect important network outages that affected a large number of clients. In addition, we analyze the composition of one-way traffic and find that 80.2% and 58.6% of the one-way flows and packets, respectively, can be attributed to malicious causes. Finally, we observe that the fraction of scan flows in the total number of flows has decreased since 2006.
|Claude Fachkha (NCFTA Canada & Concordia University)||
Talk Title: Investigating the Darkspace: Profiling, Threat-Based Analysis and Correlation
Talk Abstract: In this talk, we elaborate on the capability of analyzing darknet traffic. Particularly, we analyze darknet packets distribution, its used transport, network and application layer protocols and pinpoint its resolved domain names. Furthermore, we identify its IP classes and destination ports as well as geo- locate its source countries. We further investigate darknet-triggered threats. Finally, we contribute by exploring the inter-correlation of such threats, by applying association rule mining techniques, to build threat association rules. Specifically, we generate threat patterns or clusters of threats that co-occur targeting a specific victim. This provides insights about threat patterns and allows the interpretation of threat scenarios.
|Geoff Huston (APNIC)||
Talk Title: The IPv6 Dark Space
Talk Abstract: This is a report on a long term dark traffic gathering exercise undertaken in IPv6 using a /12 as a collection point, conducted over 6 months in 2011.
|Manish Karir (DHS)||
Talk Title: Spatial and Longitudinal Darknet Datasets
Talk Abstract: The goal of this talk is describe some of the large spatial and longitudinal darknet dataset that are part of the PREDICT dataset repository. The talk will describe these datasets at a very high level as well as describe some examples of interesting research that has been performed using these datasets.
|Erin Kenneally (CAIDA)||
Talk Title: Illuminating the way for Trusted Darkspace Data Sharing
Talk Abstract: The decision to share darkspace network data is ultimately anchored by trust in the data recipient, the interpretation of current policies, and the disclosure controls used to enforce those policies. Would-be data publishers have a relatively weak understanding of these individual issues and their interplay, particularly in the context of computer network data. Consequently, there is a lack of trust in the data sharing process and an overly defensive posture that precludes all but the most restrictive forms of sharing. Work is underway to develop a reference framework that helps data publishers understand and reason about these issues, thereby enabling risk-sensitive data sharing that considers both legal constraints and utility needs. This discussion will revolve around the elements and dynamics needed for a comprehensive framework that can generalize across a wide range of data sharing scenarios.
|John McHugh (RedJack, LLC)||
Talk Title: Dust between the stars: (adventures with a small telescope)
Talk Abstract: Darkspace comes in a number of flavors. The best known are the large blocks of unallocated or unused address space such as those monitored by Caida, Wisconson, and others. These are considered particularly interesting because they should never (well hardly ever) be the destination for legitimate traffic. The US DoD owns a considerable amount of this kind of dark space, but the difficulties involved in accessing it have prevented consistent, long term monitoring. There is another flavor of darkspces that is much more common, but not well studied. This is the space between addresses in sparsely occupied networks. One would expect this dark space to be qualitatively and quantitatively different from completely unoccupied dark spaces for several reasons: * The space is known to be allocated and in use. This should result in a higher rate of deliberate, systematic scanning than might be expected in space believed to be unoccupied. * Even when addresses go out of use, a residue of activity involving the address is to be expected. * Small errors in addressing may result in probes into the space. For 14 months between February 2005 and March 2006, I had access to the traffic at the border of a /22 belonging to a no longer existing research organization in Halifax, NS. Over this period, only about a hundred addresses were ever occupied (as indicated by outbound traffic observed at the border). Some of these addresses were active for only brief periods, but have been excluded from the analysis. The remainder, about 900 addresses, can be considered as a small dark space. As part of a study of very low frequency (fewer that 10 source flows per outside IP address during the observation period) performed for the Canadian Security Establishment (CSE), I studied this traffic. The presentation will discuss the general characteristics of the data, contrasting the dark and light space characteristics. Of particular interest are transient hotspots where a specific darkspace address became a target for connection attempts on a specific port for a limited period of time only to fade back into obscurity later.
|David Plonka (University of Wisconsin - Madison)||Talk Title: A Rendevous-based Paradigm for Analysis of Solicited and Unsolicited Traffic
Talk Abstract: This talk will present our Rendezvous-based traffic analysis paradigm, the premise of which is that the method and means by which an Internethost rendezvouses with peer hosts, prior to exchanging traffic, isuseful to profile hosts and classify subsequent traffic. Indeed, a key reason why darkspace monitoring is interesting, is that onegenerally assumes that traffic destined for darkspace is unsolicited passively solicited, and thus a suspect rendezvous method is being employed by the source host; traffic observed in darkspace often employs and algorthmic or perhaps static rendeszous method, e.g., for random destination address selection or peer addressmisconfiguration, repsectively.
Generalized rendezvous-based analysis offers opportunities in situations when other methods fail, i.e., when payloads are encrypted for privacy, obfuscated for deception, or unavailable due to monitoring limitiations such as packet sampling.
|Markus De Shon (Google)||
Talk Title: A traffic study to interleaved darkspace
Talk Abstract: While most organizations do not have large contiguous dark IPv4 allocations, they do have unused IP spaces within their allocated space. Further, most organizations collect at most sampled network flow. This work explores the utility of sampled network flow data for traffic to interleaved dark IP space.
|Brian Trammell (ETH Zürich)||
Talk Title: An Architectural Approach to Inter-domain Measurement Data Sharing
Talk Abstract: The FP7-DEMONS project is developing an system and an architecture for inter-domain cooperative data analysis, with applications both to operational network security scenarios as well as to research. We believe our approach may have some applicability or inspiration for darkspace monitoring efforts, as well. Our general approach recognizes that sharing of raw data is fraught with peril, both with respect to fundamental risk to network end-user privacy as well as to regulatory and legal frameworks. Therefore, we seek to share analysis, not data, within controlled consortia governed by a general agreement. On the technical side, we support this by (1) moving as much data analysis as possible as close as possible to the measurement edge; (2) emphasizing stream processing over retrospective analysis, under the assumption that the phenomena of interest are continuous; (3) providing a composable measurement system coupled with a defined vocabulary of building blocks for data capture and analysis about which access control decisions can be made; and (4) providing interfaces for inter-domain exchange of queries and intermediate results. The talk will present an introduction to the architecture and the composable measurement system, and a few reflections on how these could be applied to cooperative darkspace monitoring efforts.
|Joanne Treurniet (Defence R&D Canada)||
Talk Title: Classifying Activities in IP Traffic
Talk Abstract: Based on "A Network Activity Classification Schema and Its Application to Scan Detection", this talk will describe the classification method and the results obtained on a 4 x class B address space. Sessions are created using models of the behaviour of packet-level data between host pairs, and activities are identified by grouping sessions based on patterns in the type of session, the IP addresses, and the ports. In a 24-h data set of nearly 10 million incoming sessions, 78% were identified as scan probes. Of the scans, 80% were slower than basic detection methods can identify, many of which are likely the result of worm propagation.
|Shouhuai Xu (University of Texas at San Antonio)||
Talk Title: Toward a statistical framework for using darkspace-based unsolicited traffic to infer cyber threats
Talk Abstract: Darkspace-based unsolicited traffic contains useful information about cyber threats such as the population of compromised/malicious computers in the wild. The problem is: How can we extract such information in a principled fashion? This motivates us to propose and investigate a novel statistical framework, by which we can answer basic questions such as:
This is a work-in-progress, but we have made substantial progress in the modeling part (as such, it may become a reasonably mature work at the meeting time). We will use some darkspace data, which we fortunately have access to, to demonstrate the ideas and/or validate the analytic results.
|Eric Ziegast (ISC)||
Talk Title: Methods for collecting and disseminating darknet data
|Tanja Zseby (CAIDA)||
Talk Title: Comparable Metrics for IP Darkspace Analysis
Talk Abstract: Darkspace analysis ranges from the simple observation of packet counters, analysis on transport headers up to detailed payload inspection. In my talk I look at metrics that are suitable for comparing darkspace data from different sources and for sharing results among distributed darkspace monitors. I will show some early results from analyzing entropy in darkspace and discuss benefits and challenges.