Masato Terada

Heuristics for Detecting Botnet Coordinated Attacks

This paper studies the analysis on the Cyber Clean Center (CCC) Data Set 2009, consisting of raw packets captured more than 90 independent honeypots, in order for detecting behavior of downloads and the port-scans. The analyses show that some new features of the coordinated attacks performed by Botnet, e.g., some particular strings contained in packets in downloading malwares, and the common patterns in downloading malwares from distributed servers. Based on the analysis, the paper proposes the heuristic techniques for detection of malwares made by Botnet coordinated attack and reports the accuracy of the proposed heuristics. The detection process is automated in the proposed decision tree consisting of statistics, such as, a number of total inbound packets, and an average rate of downloading malwares.

A discovery of sequential attack patterns of malware in botnets

More than 90 independent honeypots have observed malware traffic at the Japanese tier-1 backbone. Typical attacks were made by multiple servers, coordinating to send many kinds of malware. This paper aims to discover some frequent new sequential attack patterns of malware. It is not easy to identify particular patterns logs of one year because the volume of dataset is too large to investigate one by one. To overcome the problem, this paper proposes data mining algorithm, the PrefixSpan method. We implement the PrefixSpan algorithm to analyze the malware footprints and show the experimental result. The result of analysis shows that the attacks are performed by multiple sequential attack patterns within a short amount of time.

Mining Association Rules Consisting of Download Servers from Distributed Honeypot Observation

This paper aims to find interested association rules, known as data mining technique, out of the dataset of downloading logs by focusing on the coordinated activity among downloading servers. The result of the analysis shows the association rules of the downloading servers and that of the malwares.

Access Control for Inter-Organizational Computer Network Environment

The Internet has evolved into an interconnection of networks on an organizational basis from the early stages where the interconnection was primarily on a network basis. The original protocol architecture, which essentially sought ubiquitous connectivity, has little scope for incorporating access control, a feature for which the demand increases with connectivity. In this work, we have taken up this issue. We have examined- how one can provide a transparent network, while preserving security of organizations by implementing and maintaining strict access control using firewalls.

Automated Classification of Port-Scans from Distributed Sensors

Computer worms randomly perform port-scans to find vulnerable hosts to intrude over the Internet. Malicious software varies its port-scan strategy, e.g., some hosts intensively perform scans on a particular target and some hosts scan uniformly over IP address blocks. In this paper, we propose a new automated worm classification scheme from distributed observations. Our proposed scheme can detect some statistics of worm behavior with a simple decision tree consisting of some nodes to classify source addresses with optimal threshold values. The choice of thresholds is automated to minimize the entropy gain of classification. Once a tree is constructed, the classification can be done very quickly and accurately. In this paper, we analyze a set of source addresses observed by the distributed sensors in IS- DAS observed with 30 sensors in one year in order to clarify a primary statistics of worms. Based on the statistical characteristics, we present the proposed classification and show th e performance of the proposed scheme.

Clustering Top-10 malware/bots based on download behavior

Malware can be spread over the Internet via especially download mechanism to the victim computers. This work tries to cluster malware/bots download behavior of Top-10 malware based on 2010 and 2011 CCC (Cyber Clean Center) datasets. The datasets contain more than one million download logs collected from several independent honeypots in Japan to observe malware/bot traffic and activities. Although the daily and hourly patterns are quite similar in 2010, those of 2011 are quite different. As a result, the proposed Integral Correlation Coefficient can cluster 3 and 4 groups of Top-10 malware/bots in 2010 and 2011, respectively.

Apriori-PrefixSpan Hybrid Approach for Automated Detection of Botnet Coordinated Attacks

This paper aims to detect features of coordinated attacks by applying data mining techniques, Apriori and Prefix Span, to the CCC DATA set 2008-2010 which consists of the captured packets data and the downloading logs. Data mining algorithms allow us to automate detecting characteristics from large amount of data, which the conventional heuristics could not apply. Apriori a chives high recall but with false positive, while Prefix Span has high precision but low recall. Hence, we propose hybriding these algorithms. Our analysis shows the change in behavior of malware over the past 3 years.

Principal Component Analysis of Botnet Takeover

A botnet is a network of compromised computers infected with malware that is controlled remotely via public communications media. Many attempts at botnet detection have been made including heuristics analyses of traffic. In this study, we propose a new method for identifying independent botnets in the CCC Dataset 2009, the log of download servers observed by distributed honeypots, by applying the technique of Principal Component Analysis. Our main results include distinguishing four independent botnets when a year is divided into five phases.

Orthogonal Expansion of Port-scanning Packets

Observation of port-scan packets performed over the Internet is involved with so many parameters including time, port numbers, source and destination addresses. There are some common port numbers to which many malicious codes likely use to scan, but a relationship between port numbers and the malicious codes are not clearly identified. In this paper, we propose a new attempt to figure characteristics of port-scans observed from distributed many sensors. Our method allows 1) analysis of sensors with few significant factors extracted from an orthogonal expansion of port-scan packets, rather than taking care of all possible statistics of port numbers, 2) compression of packets data, computed by linear combination of limited number of orthogonal factors, and 3) approximation of number of scanning packets at arbitrarily specified sensor and ports, made from statistical correlation between port numbers. We also evaluate the accuracy of our proposed approximation algorithm based on actually observed packets.

How many malicious scanners are in the internet

Given independent multiple access-logs, we try to identify how many malicious hosts in the Internet. Our model of number of malicious hosts is a formalized as a function taking two inputs, a duration of sensing and a number of sensors. Under some assumptions for simplifying our model, by fitting the function into the experimental data observed for three sensors, in 13 weeks, we identify the size of the set of malicious hosts and the average number of scans they perform routinely. Main results of our study are as follows; the total number of malicious hosts that periodically performs port-scans is from 4,900 to 96,000, the malicious hosts density is about 1 out of 15,000 hosts, and an average malicious host performs 78 port-scans per second.