An Analysis on Distribution of Malicious Packets and Threats over the Internet

An Analysis on Distribution of Malicious Packets and Threats over the Internet Masaki Ishiguro Mitsubishi Research Institute 3-6 Otemachi 2-Chome, Chiyoda-ku, Tokyo, Japan masa@mri.co.jp Shigeki Goto Waseda University 3-4- Okubo Shinjuku-ku, Tokyo, Japan Ichiro Murase Mitsubishi Research Institute 3-6 Otemachi 2-Chome, Chiyoda-ku, Tokyo, Japan Hironobu Suzuki Waseda University 3-4- Okubo Shinjuku-ku, Tokyo, Japan ABSTRACT Internet worms pose great threats for computer systems connected to the Internet. Malicious packets sent by Internet worms or port-scan activities can be captured by monitoring ports of IP addresses where any network service is provided. We present an analysis of distribution of malicious packets over the Internet and show evaluation of Internet threats. Several methods have been proposed for detecting threats over the Internet based on monitoring malicious packets. Most of these methods apply statistical methods to timeseries frequencies of malicious packets. We proposes a method for evaluating threats on the Internet based on graph defined by the sources and destinations of monitored malicious packets. In order to evaluate threats, we formulate two relationships between threats of the worms and vulnerability of ports of network services and apply Eigenvalue problem to derive threat levels of network ports. We applied our method to working examples monitored during the period of worm outbreaks to show the effectiveness of our method. Categories and Subject Descriptors C.2.3 [Computer-Communication Networks]: Network Operations Network Monitoring General Terms Measurement Keywords Internet Monitoring, Computer Worms, Internet Threat, Malicious Packets. INTRODUCTION In recent years, threats caused by Internet worms have been increasing. Malicious packets sent from activities such as Internet worm infections, DDoS attacks, or port scans can be monitored on the Internet. Internet monitoring systems monitor these malicious packets to detect threats over the Internet. While Intrusion Detection Systems (IDS) monitor within the local network to detect intrusion or misuses, Internet Monitoring Systems monitor several IP addresses outside local network in the Internet. Several threat detection methods based on statistical method applied to time-series frequencies of malicious packets or extraction of characteristic access patterns have been proposed. In this paper, we present an analysis of distribution of source addresses of malicious packets and then present a threat evaluation method based on spacial structure of graph formed by source and destination of monitored packets in the Internet. In order to quantify the level of threat in the Internet, we apply an eigenvalue problem to the graph of malicious packets based on Google page rank method[7]. The remainder of this paper is organized as follows: We describe related work in section 2. Then we present the Internet monitoring system in section 3. In section 4, we present an analysis of distribution of malicious packets. Then we propose a threat evaluation method experimental results in section 5 and section 6. Finally we summarize our results and future works in section 7. 2. RELATED WORK Internet Monitoring Systems for threat detection are classified into two categories: The first one monitors every packets without making any response which is called passive monitoring, while the other monitors packets and sends back some response packets in some extent in order to observe actions of senders which are called active monitoring. The former includes CAIDA telescope[6], Internet Storm Center[], Internet Motion Sensor[4], JPCERT/CC, ISDAS[4], WCLSCAN[3], DShield[]. The latter includes the work by Princeton University[8] and Honeypot[9] by Honeynet Project.

Most of threat detection methods are based on statistical analysis on time-series frequencies of monitored packets of individual network port. Thottan proposed auto-regression model method which computationally learns and predict change of time-series frequencies of packets and make statistical test to detect threats in the Internet[3]. Ishiguro proposed detection method based on Bayesian estimation to the deviation between time-series frequencies and their trends[3]. Zou proposed a method for detecting evolution of Internet worm activities based on virus infection model in epidemics and Kalman filter[5]. Telecom-ISAC/Japan is working on extracting characteristic access patterns based on correlation of source and destination information of monitored packets. In the area of active monitoring, evaluation of likelihood of Internet worm infection by monitoring failure or success of TCP connection[2]. Kompella proposed the number of differences between monitored FIN packets and SYN packets[5]. All of them focus on the number of packets monitored in stead of structure of graph formed by monitored packets. This paper proposes a new method which takes into account a structure of graph. 3. INTERNET MONITORING SYSTEM Our threat evaluation method uses packet information such as access time, packet source, packet destination monitored by passive Internet monitoring system. We define packets monitored at IP addresses where any network services is given to be malicious packets, because there would not be any legitimate packet comming to such IP address for normal network services. These malicious packets include worms infection activities, DDoS back-scatters, port-scans etc. evaluation method are summarized in Table Table : Monitoring data Packet Access Time(Date,Time) Protocol Type (TCP, UDP, ICMP) Source IP Address Source Port Number Destination IP Address Destination Port Number 4. DISTRIBUTION OF MALICIOUS PACK- ETS There are several types of infection strategies of Internet worms. Rajab showed that local-preference infection strategies which scans local IP addresses (i.e. /6 network) with higher probability are more efficient than uniform-random IP address scanning strategies[]. We present an analysis on distribution of source IP addresses of malicious packets to capture the characteristics of worms infection activities. 4. Distance Distribution of Source Addresses We measured the ratio of packets for every distance of sources and destinations. Figure 2 shows a complimentary distribution of packets for each type of protocols for the data during April st to 3th in 25. Vertical axis shows the ratio of packets and horizontal axis shows the distance of source and destination IP address in bits. The distance can be calculated by the number of bits which consecutive upper bits of source and destination are the same. The longer the same bits from upper bits between source and destination addresses, the closer the source packet is sent from. Figure shows structure of our Internet monitoring system. Internet.8 TCP UDP ICMP No DoS Backscatter Random Malicious Port Access Sensor Sensor Sensor Sensor Encrypted data Log Data Server Threat Detector/ Visualizer SQL Ratio of packets.6.4.2 8 6 24 32 IP address in bit Figure : Internet monitoring system The system consists of multiple Sensors, a Log data server, and a Threat detector/visualizer. Sensors are deployed at several IP addresses and captures arriving packets. Information of packets captured at sensors is transferred to the log data server via an secure channel. The threat detector/visualizer analyse monitored packets data and detect threat in the Internet. Data to be analyzed by our threat Figure 2: Packet ratio by bit distance(protocols) The plots labeled TCP, UDP, ICMP means complimentary distributions for each protocols packets. No DoS Backscatter means a complimentary distribution of packets whose source ports are not well-known ports. Packets from well-known ports are considered to be backscatter of DoS attacks, since it usually monitored when response packets to DoS attack packets with spoofed source IP addresses to wellknown service are sent. The plot labeled Random means

a theoretical complimentary distribution for packets which are sent uniform-randomly from every source addresses. The plots of TCP, UDP, and ICMP show complimentary distribution of source addresses are biased toward close distance between source and destinations, since the plots are positioned higher than Random. This means source of packets monitored are biased to close distance compared with uniform-random distribution. We observed the same tendency for data of other periods. We investigated the tendency of these 3 types of distribution for various periods and sensors and found that distributions are stable throughout the different period for each sensor and are different from sensor to sensor for the type of Figure 5 and 6. Increase of the number of source addresses of monitored packets may indicate spreading of worms. Therefore we may be able to evaluate a threat by calculating increase of distribution of source addresses by using, for example, information entropy etc. We can extend this idea to the distribution of destination addresses as well as source addresses to evaluate threats in the Internet in the following section. Figure 3 shows complimentary distributions for each types of destination ports for the same period of data as before. The plot labeled Random is the same as before. The other three plots shows the complimentary distributions for destination ports 35/TCP, 445/TCP, and 433/TCP. This graph also shows the source of these packets are biased to close distance compared with uniform-random distribution. Ratio of packets.8.6.4 port 35/TCP port 445/TCP port 433/TCP Random octet:2 Sensor 2.2 octet: 8 6 24 32 IP address in bit Figure 4: Distribution in st,2nd octet space Figure 3: Packet ratio by bit distance (Ports) Bias of distribution can be explained by the local-preference infection strategies of worms such as CodeRed, Nimda, Sasser as explained in [2]. 4.2 Spacial Distribution of Source Addresses We present spacial distribution of source addresses of malicious packets in Figure 4 to Figure 6 for the data of month in April 26. In order to capture spacial distributions of source addresses, we select two octets of IP addresses for each graph, i.e. {st octet, 2nd octet}, {2nd octet, 3rd octet}, {3rd octet, 4th octet} for Figure 4 to 6 respectively. Then we map the number of packets in the position of twodimensional space determined by two selected octets and represent it by gray-scale density. Figure 4 to 6represent respectively the overall Internet space, /8 network space, /6 network space which contains a target sensor. Each dot in Figure 4 to 6 represent respectively /6 network, /24 network and a single IP address. We use only TCP packets since source address of TCP packets are usually not spoofed. octet:3 Sensor 2 octet:2 Figure 5: Distribution in 2nd,3rd octet space

octet:4 Sensor 2 count/hour 8 7 6 5 4 3 2 5/9 : 5/9 2: 5/2 : 5/2 2: 5/2 : time 5/2 2: 5/22 : port 433 port 2 port 8 port 83 port 8 5/22 2: Figure 7: Time-series access frequencies by ports 5/23 : octet:3 for convenience and the right-hand side of the graph indicate destination port of the packets. Figure 6: Distribution in 3rd,4th octet space 5. THREAT EVALUATION We present a threat evaluation method which takes advantage of structure of graph of monitored packets. First we compare the traditional method for threat detection and our graph method and then we describe the way to calculate threat in the Internet. 5. Relation between Threats and Vulnerabilities In this paper, we consider Internet worm which is highly contagious to be threat in the Internet. Highly contagious worms search effectively hosts with vulnerable ports and this kind of vulnerable hosts exist more than other kinds in the Internet. We propose a method for evaluating threat that a port of host is posed in the Internet by those contagious worms. Most of malicious packets monitored by Internet monitoring system are those from worms. We evaluate threat in the Internet based on access graph formed by source and destination of malicious packets. Traditional threat detection system based on time-series frequencies of malicious packets. Figure 7 shows time-series frequencies of monitored packets for each port(top five ports). The horizontal axis indicates time and the vertical axis indicates frequency of packets (access frequencies). Threat detection methods based on time-series frequencies of packets do not make use of spacial structure of access relations between source and destination of packets. Figure 8 shows an access graph formed by relation of source and destination of same data of packets. The left-hand side of the graph indicates source IP addresses which are renumbered Source IP Addresses (Renumbered) 9 8 7 6 5 4 3 2 83 3389 22 88 433 27374 327 328 6588 8 5432 25 53 8 2 8 Figure 8: Access graph between sources and destinations The data in this example was obtained during the period when SPIDA worm was active. As seen in the Figure 8, there are many access packets from many source addresses to ports 433 (MS SQL), port 2 (ftp), port 8 (http). In order to evaluate threat based on this access graph, we consider two kinds of relationship: one is that the more vulnerable a port is, the more access packets received from highly contagious worms. The other is that the higher a contagious worm is, the more it accesses vulnerable ports. These relationship can be restated as follows: Relation between threat and vulnerability: Relationship Vulnerability of a destination port is high if it gets access from many different source address with high threat level. We can assume that source IP address of most TCP access from worms are not spoofed, because it has to create connection to that target host. Therefore, we use only TCP packets for the analysis Destination Port Numbers

Relationship 2 Threat level of a source address is high if it sends more packets to vulnerable destination ports. Edge We show how to evaluate threats in the Internet based on these relationship by using simple examples. Figure 9 shows relationship between source and destination of monitored packets. Arrows from left to right indicates an existence of an access from a left node to a right node. s4 d4 d5 s Edge Access Sources d6 Access Destinations s2 Figure : Relation between source s and several destinations d s3 Edge Access Sources Access Destinations Figure 9: Relation between destination d and several sources First, we define a vulnerability of a destination based on the relationship. We assume all source nodes are assigned tentative threat level. Vulnerability of the destination d in the figure is defined by a weighted sum of threat of source nodes connected by edges. Weight of edges is defined in Section 5.2. Access Sources Access Destinations Next in Figure, we define a threat level of a source based on the relationship 2. We assume destination nodes are assigned tentative vulnerability. Threat of a source node s4 in the figure is defined by a weighted sum of vulnerability of destination nodes connected by edges in the same way. In the former relationship, threat level of source nodes are assumed to be given in order to define vulnerability of destination nodes. In the latter relationship, vulnerability of destination nodes are assumed to be given in order to define threat of source nodes. By starting arbitrary initial values of threats and vulnerability and applying above two relations interchangeably, convergent values indicate threats and vulnerabilities of source and destination nodes. 5.2 Calculation Method We apply Eigen equation method to access graph we described in the previous section in order to evaluate threat in the Internet. Figure shows access graph formed by relationship between source and destination of monitored packets. Source nodes represent IP addresses and destination nodes represent port numbers. Arrows represent access from source to destination of a monitored packet. Monitored packets comes from outside the sensors to the Figure : Internet A Graph of Malicious Packets on the sensors. Since nodes of source and destination does not overlap, the access graph is a bipartite graph. We define a vector t to be a tuple of threat levels of source nodes i and a vector v to be a tuple of threat levels of destination nodes as follows: t = (t,t 2,,t n) () v = (v,v 2,,v m) (2) We call t a source threat vector and v a destination threat vector. First, threat level v j of destination j is defined as a weighted sum of threat level t i of source i, based on the relationship

in Section5 (Equation 3). v = c (w,t + w 2,t 2+,,w n,t n) (3) v m = c (w,mt + w 2,mt 2+,,w n,mt n) Acoefficientc is fixed by solving an Eigen equation and described later. The weights are assigned to the edge connecting from source i to destination j depending on how much an access from source i affects destination j. Since accesses from the different source suggest highly contiguous worm than repeated access from the same source, we define w i,j as follows: we consider two continuing observation terms, the former term and the latter term. If any access from source i to destination j exists in the latter term and no access in the former term, the weight is defined as. Otherwise the weight is define as. Next, threat level t i of source i is defined as a weighted sum of threat level v j of source j, based on the relationship 2 in Section 5 (Equation 4). t = c 2(w,v + w,2v 2+,,w,mv m) (4) t n = c 2(w n,v + w n,2v 2+,,w n,mv m) Acoefficientc 2 is fixed by solving an Eigen equation and described later. Equation 3 defines relationship to calculate destination threat vector v from source threat vector t. On the other hand, Equation 4 defines relationship to calculate source threat vector t from destination threat vector v in inverse way. Starting from an arbitrary initial vectors of v and t and applying the above two equations interchangeably, we can obtain convergent threat vector for v and t. These convergent vectors can be calculated by solving Eigen equation. We define a access matrix composed of weights w i,j of graph edge from source i to destination j in Equation 5. t = c 2 W n m v (7),where the matrix t W is a transposed matrix of W. m n under matrices indicate number of rows and columns. By transforming above equation, we can obtain the following Eigen value equations. v = c c 2 t WW m m v (8) t = c c 2W t W n n t (9) Equation eq:eigen shows that the destination threat vector v is an eigen vector of a square matrix ( t WW )ofsizem m m for an eigen value c c 2. Equation eq:eigen2 shows that the destination threat vector t is an eigen vector of a square matrix (W t W )ofsizen for an eigen value n n c c 2. According to the theorem of Perron-Frobenius, if every elements of t WW, W t W are positive, all elements of a dominant eigen vector for the largest eigen value are positive. m m n n Therefore, in this case, source and destination threat vectors can be obtained uniquely. In the Internet, since we can assume a very little random noise packets can be monitored at all IP addresses, we can add a small quantity δ( ) to all elements of an access matrix W. Therefore, all elements of eigen vectors obtained by solving the eigen equation 8 are positive. 6. EXPERIMENTS We evaluate our method by applies working examples obtained by Internet threat monitoring system. Since it is difficult to tell threat in the Internet, we assume the period when critical warnings were issued to be in high threat. 6. MS SQL Incident Target data for evaluation is obtained in the period where JPCERT/CC Alert JPCERT-AT-6 was issued regarding MS SQL vulnerability on port 433. This incident occurred during July 9th, 25 to 3th. W = B @ w, w,2 w,m w 2, w 2,2 w 2,m.. w n, w n,2 w n,m C A (5) We apply our method to these 5-days monitored data for 4 times as described in Figure 2. We use a pair of -day data every time: one day for the former period and other day for the latter period. By using 2-day data every time, we can calculate access matrix defined in Section 5.2. Equation 3 and Equation 4 are defined by using the access matrix W as follows: v = c t W m n t (6) Table 2 shows top ten list of ports threat for each day. port column means port numbers. count column means number of access during a period. threat column means threat level evaluated by our method. In the Table 2, threat level of the incident port (i.e. port 433) increases.32,.3,.233,.33 from July to 3

4th evaluation the former half the latter half 3rd evaluation the former half the latter half 2st evaluation the former half the latter half st evaluation the former half the latter half Data period st day 2nd day 3rd day 4th day 5th day Figure 2: Data usage for experiment Table 2: Top list of threat levels for the port 433 incident July July July 2 July 3 port count threat port count threat port count threat port count threat 35 3.627 35 38.789 35 885.792 35 57.636 445 2.472 445 822.378 445 82.432 433 346.33 2345.63 39 28.6 433 222.233 445 739.35 39 232.59 433 59.3 39 29.95 2745 6.48 433 5.32 2345 3.9 9898 7.89 39 24.35 34 8.23 9 4.9 24 2.85 2 3. 9 9.23 34.87 4899 64.78 88 3. 22 2.2 3389 6.87 336 9.64 8535 3. 39 7.2 336 8.87 2.64 25 6. accordingly. The rank increases as 5th, 4th, 3rd, 2nd during this period. Figure 3 shows time-series change of threat level for top 5 ports..8.7 In Table 2, port 2345(Amitis.B backdoor) on July, port 9898 (Win32.Dabber.B worm) on July 2, port 2745 (Agobot bot worm that uses Bagle worm backdoor) on July 3 shows high threat level even if access count is small compared to other ports. This result cannot be derived by threat detection method based on access count. threat index.6.5.4.3.2 port 35 port 433 port 445 port 2745 port 39 6.2 Windows File Share Incident The next data for experiment is those obtained in the period when IPA(Information Technology Promotion Agency, Japan) issued an alert on Window file share vulnerability on port 39. The period of this incident started from June 8, 25 to June 2. In this experiment, we applied our method in the same way as the previous experiment in that we applied our method for each 2-day data.. 7/ 7/ 7/2 7/3 date Figure 3: Time-series threat levels for the port 433 incident On July 3th, threat level of port 433 exceeds that of port 445, even the access count is smaller than that of port 445. On the contrary, if we look at count columns, rank increases as 4th, 4th, 3rd, 3rd which is slow compared to our threat level. From these experiments, we can say that our method responds well to the critical incident compared with the access count in the period of incident outbreak, Table 3 shows top ports with highest threat levels. In this experiment, threat of the vulnerable port 39 increases as.29,.55,.8,.6 and ranks increases 2th, 33th, 4th, 3rd. Figure 4 shows time-series threat level of top 5 ports. This experiment also shows relatively high increase of threat of vulnerable port compared with other ports. 7. CONCLUSION We presented an analysis of distribution of source addresses of malicious packets. Increase of the number of source addresses may indicate worm spreading and we suggested change of distribution may be used for detecting threats.

Table 3: Top list of threat levels for the port 39 incident June 9 June June June 2 port count threat port count threat port count threat port count threat 35 255.954 35 274.883 35 2834.879 35 96.846 445 75.29 445 8.227 445 38.244 445 989.249 433 4.78 8 4.4 2345.85 39 242.6 4899 43.52 44599 8.99 39 257.8 42857 2.2 52.52 589 4.99 2 4.77 4899 46.76 8535.52 88 2.7 433 42.65 43.76 8536.52 4899 47.7 44599 3.64 336 9.76 2 3.52 22 23.7 589 3.64 256 3.76 22.52 25.7 524 2.64 249.76 43.52 336 4.7 42857 2.64 6346 3.76 threat index. port 35 port 445 port 39 port 42857 port 4899. 6/9 6/ 6/ 6/2 date Figure 4: Time-series threat levels for the port 39 incident Extending the concept of distribution of source addresses of malicious packets, we proposed a threat evaluation method based on graph formed by relation between source and destination of monitored malicious packets. Traditional threat detection methods are based on time-series frequencies packets. Our method is different from traditional method in that it make use of spacial structure of graph to quantify the level of threats. We applied eigenvalue problem to evaluate threat in the Internet. By applying our method to the working example observed by the Internet monitoring system, threat level calculated by our method respond better to critical incident compared with frequencies of packets. As a future work, strength and weakness of our method to several type of incident should be clarified. 8. REFERENCES [] DShield.org. Distributed intrusion detection system. http://www.dshield.org/index.html. [2] M. Ishiguro, M. Ito, Y. Toda, and H. Suzuki. Characteristics of malicious packets by port monitoring on the internet(in japanese). In Computer Security Symposium 25, 25. [3] M. Ishiguro, H. Suzuki, I. Murase, and H. Ohno. Internet threat detection system using bayesian estimation. In 6th Annual FIRST Conference on Computer Security Incident Handling, 24. [4] JPCERT/CC. internet scan data acquisition system (isdas). http://www.jpcert.or.jp/isdas/. [5] R. R. Kompella, S. Singh, and G. Varghese. On scalable attack detection in the network. In 4th ACM SIGCOMM conference on Internet measurement, pages 87 2, 24. [6] D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Network telescopes: Technical report. Technical report, CAIDA, 24. [7] L. Page, S. Brin, R. Motwani, and T. Winograd. The pagerank citation ranking: Bringing order to the web. Technical report, Stanford Digital Library Technologies Project, 998. [8] R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of internet background radiation. In Proceedings of ACM Internet Measurement Conference, 24. [9] T.H.Project.Toolsforhoneynets. http://www.lucidic.net/. [] M. A. Rajab, F. Monrose, and A. Terzis. On the effectiveness of distributed worm monitoring. In 4th USENIX Security Symposium, pages 225 237, 25. [] SANS Institute. Internet storm center. http://isc.sans.org/. [2] S. Schechter, J. Jung, and A. W. Berger. Fast detection of scanning worm infections. In 7th International Symposium on Recent Advances in Intrusion, 24. [3] M. Thottan and C. Ji. Anomaly detection in ip networks. IEEE TRANSACTIONS ON SIGNAL PROCESSING, 5(8), August 23. [4] University of Michigan. Internet motion sensor (ims). http://ims.eecs.umich.edu/index.html. [5] C. C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and early warning for internet worms. In the th ACM conference on Computer and communications security, pages 9 99, 23.