۱- Introduction

۲- Association Rule Learning for Darknet Traffic Data

۳- Darknet Analysis for Scan Attacks Using Association Rule Learning

۴- Conclusions

References

Abstract

In this paper, we report an interesting observation of the darknet traffic before the source code of IoT malware Mirai was first opened on September 7th 2016. In our darknet analysis, the frequent pattern mining and the association rule learning were performed to a large set of TCP SYN packets collected from July 1st 2016 to September 15th 2016 with the NICT/16 darknet sensor. The number of collected packets is 1,840,973,403 packets in total which were sent from 17,928,006 unique hosts. In this study, we focus on the frequently appeared combinations of “window sizes” in TCP headers. We successfully extracted a certain number of frequent patters and association rules on window sizes, and we specified source hosts that sent out SYN packets matched with either of the extracted rules. In addition, we show that almost all such hosts sent SYN packets satisfying the three conditions known from the source code of Mirai. Such hosts started their scan activities from August 2nd 2016, and ended on September 4th 2016 (i.e., 3 days before the source code was opened).

Introduction

Information technologies (IT) have brought drastic changes in our life and many people have enjoyed new benefits on the Internet. In recent years, in addition to this IT revolution, the great progress of the Internet of Things (IoT), where various services and devices are connected to the network, is about to bring us further revolution. However, along with sophistication of IT and IoT systems, cyberattacks exploiting new system vulnerabilities are becoming serious these days. In particular, the impact of a recent IoT malware Mirai was enormous. Mirai is a worm-type malware that finds an IoT device with similar vulnerability for self-replication. An attacker manipulates a number of IoT devices infected with Mirai as bots and uses this to conduct a Distributed Denial of Service (DDoS) attack by seeding a large number of packets to target hosts. In order to deal with such a large-scale intelligent cyberattack promptly, it is necessary to construct a mechanism that is capable of observing cyberattacks occurring on the Internet with a wide view. For this purpose, the use of the darknet, known as network telescope, has been studied for many years [1]. Darknet is an unused address space. It is considered that no communication occurs because there is no computer installed in the darknet, but many packets are arriving in reality. These packets are mainly caused by scan activity or backscatter of reply packets from hosts targeted by DDoS attack; thus, it can be considered that packet observed in the darknet is generated by malwares. Therefore, through the analysis of Darknet packets, it is possible to observe a part of cyberattacks on the Internet. In this research, we analyze the behavior of scan attacks from packets observed in Darknet. In particular, we focus on TCP SYN packets characterizing scan attacks and aim to find statistical features in the TCP headers of those packets. For this purpose, we apply the association rule learning to SYN packets and discuss the dynamic features of malware performing scan attacks. As for the destination port information, there have been reported several prior works analyzing SYN packets. Ban et al. [1] and some researchers [2, 3] applied the association rule learning to destination port numbers of SYN packets, and they discovered several association rules related to Carna botnet and other malwares. These rules are currently used as a signature when performing network scan. In this work, we focus on different header information such as window size instead of destination port.