Collaborative Distributed Darknet Analysis

  • Ayesha A. AlHosani

Student thesis: Master's Thesis

Abstract

The Internet has become highly integrated into every aspect of our personal and professional lives. It has become highly intertwined with our national critical infrastructure through government online services, online banking, etc. With the great efficiency of the Internet comes great risks. Cyberattacks nowadays can have devastating impact on Internet connected resources. Billions of dollars are being spent each year as a result of the various cyberattacks that appear on the Internet. Through gaining cyber intelligence about the threats infecting the Internet one can detect and mitigate these threats. One of the most valuable sources of cyber intelligence is to deploy Darknet Network Telescopes. These are servers configured to trap attacker and collect suspicious data through passively monitoring the unused address space. Within this unused address space, or what is called the Internet Background Radiation (IBR), lies huge traffic that carry within it a great deal of insights and indicators towards threat detection. Deploying more of these darknet sensors and using a centralized analysis system for collaborative analysis enables the detection, characterization, and understanding of the behavior of anomalies on the Internet. We have deployed a darknet sensor in Khalifa University that collects the traffic destined to the list of unused IP addresses within KU network. We have analyzed the collected traffic including identification of top sources and top protocols. Additionally, we have identified the scanning/probing activities within the traffic. This analysis was then expanded to included traffic collected by another darknet sensor deployed in another institution. Collaborative analysis using both datasets was performed, which included comparing the traffic size and finding the intersection between traffic sources and identifying the top sources. The results showed that the two sensors are observing different traffic from different sources and that some of the top sources are behind scanning activities. Then, based on the real traffic evidence collected and analyzed, we have proposed a compatible attack scenario that can be used for testing and teaching purposes. The scenario is based on the security flaws of NAT, Network Address Translation, and shows how the traffic observed can be a reconnaissance attempt as part of the proposed attack scenario.
Date of AwardJun 2017
Original languageAmerican English
SupervisorHadi Otrok (Supervisor)

Keywords

  • Darknet
  • Network Telescope
  • Cyber Intelligence
  • Collaborative Analysis
  • NAT.

Cite this

'