research-article

nicter: a large-scale network incident analysis system: case studies for understanding threat landscape

Authors:

Junji Nakazato,

Kazuhiro Ohtaka,

Koji NakaoAuthors Info & Claims

BADGERS '11: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security

Pages 37 - 45

https://doi.org/10.1145/1978672.1978677

Published: 10 April 2011 Publication History

Abstract

We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose objective is to detect and identify propagating malwares. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global trends of network threats, while it captures and analyzes malware executables. By correlating the network threats with analysis results of malware, the nicter identifies the root causes (malwares) of the detected network threats. Through a long-term operation of the nicter for more than five years, we have achieved some key findings that would help us to understand the intentions of attackers and the comprehensive threat landscape of the Internet. With a focus on a well-knwon malware, i. e., W32.Downadup, this paper provides some practical case studies with considerations and consequently we could obtain a threat landscape that more than 60% of attacking hosts observed in our dark-net could be infected by W32.Downadup. As an evaluation, we confirmed that the result of the correlation analysis was correct in a rate of 86.18%.

References

[1]

K. Nakao, K. Yoshioka, D. Inoue, M. Eto, and K. Rikitake. nicter: An Incident Analysis System using Correlation between Network Monitoring and Malware Analysis. In The 1st Joint Workshop on Information Security (JWIS06), pages 363--377, 2006.

[2]

K. Nakao, K. Yoshioka, D. Inoue, and M. Eto. A Novel Concept of Network Incident Analysis based on Multi-layer Observations of Malware Activities. In The 2nd Joint Workshop on Information Security (JWIS07), pages 267--279, 2007.

[3]

D. Inoue, M. Eto, K. Yoshioka, S. Baba, K. Suzuki, J. Nakazato, K. Ohtaka, and K. Nakao. nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis. In WOMBAT Workshop on Information Security Threats Data Collection and Sharing, pages 58--66, 2008.

Digital Library

[4]

M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A distributed blackhole monitoring system. In Proceedings of the 12th ISOC Symposium on Network and Distributed Systems Security (NDSS), pages 167--179. Citeseer, 2005.

[5]

Sans Internet Storm Center. http://isc.sans.org/.

[6]

F. Pouget, M. Dacier, and V. H. Pham. Leurre.com: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform. In E-Crime and Computer Conference (ECCE' 05), 2005.

[7]

D. Moore, C. Shannon, G. M. Voelker, and S. Savage. Network telescopes: Technical report. CAIDA, April, 2004.

[8]

M. Bailey, E. Cooke, F. Jahanian, A. Myrick, and S. Sinha. Practical darknet measurement. In Information Sciences and Systems, 2006 40th Annual Conference on, pages 1496--1501. IEEE, 2007.

[9]

N. Provos. Honeyd-a virtual honeypot daemon. In 10th DFN-CERT Workshop, Hamburg, Germany, 2003.

[10]

C. Leita, M. Dacier, and F. Massicotte. Automatic handling of protocol dependencies and reaction to 0-day attacks with ScriptGen based honeypots. In Recent Advances in Intrusion Detection, pages 185--205. Springer, 2006.

Digital Library

[11]

N. Provos. A virtual honeypot framework. In Proceedings of the 13th conference on USENIX Security Symposium-Volume 13, page 1. USENIX Association, 2004.

Digital Library

[12]

E. Alata, V. Nicomette, M. Kaâniche, M. Dacier, and M. Herrb. Lessons learned from the deployment of a high-interaction honeypot. In Dependable Computing Conference, 2006. EDCC'06. Sixth European, pages 39--46. IEEE, 2006.

Digital Library

[13]

R. Isawa, S. Ichikawa, Y. Shiraishi, M. Mori, and M. Morii. A Virus Analysis Supporting System-For automatic grasping virus behavior by code-analysis result. Joho Shori Gakkai Shinpojiumu Ronbunshu, 1(13): 169--174, 2005.

[14]

D. Inoue, M. Eto, K. Yoshioka, Y. Hoshizawa, Isawa R., M. Morii, and K. Nakao. Micro analysis system for analyzing malware code and its behavior on nicter. In Symposium on Cryptography and Information Security (SCIS) 2007. IEICE, Jan 2007.

[15]

C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security & Privacy, pages 32--39, 2007.

Digital Library

[16]

N. Solutions. Norman sandbox whitepaper. http://download.norman.no/whitepapers/whitepaper_Norman_SandBox.pdf, 2003.

[17]

K. Nakao, D. Inoue, M. Eto, and K. Yoshioka. Practical Correlation Analysis between Scan and Malware Profiles against Zero-Day Attacks Based on Darknet Monitoring. IEICE TRANSACTIONS on Information and Systems, 92(5): 787--798, 2009.

[18]

Microsoft Corporation. http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx.

[19]

E Chien. Downadup: Attempts at Smart Network Scanning. http://www.symantec.com/connect/blogs/downadup-attempts-smart-network-scanning, 2009.

[20]

E. Cooke, Z. M. Mao, and F. Jahanian. Hotspots: The root causes of non-uniformity in self-propagating malware. In Dependable Systems and Networks, 2006. DSN 2006. International Conference on, pages 179--188. IEEE, 2006.

Digital Library

Cited By

Imamura MOmote K(2019)Network Deployments of Bitcoin Peers and Malicious Nodes Based on Darknet SensorG Protein-Coupled Receptor Signaling10.1007/978-3-030-17982-3_10(117-128)Online publication date: 12-Apr-2019
https://doi.org/10.1007/978-3-030-17982-3_10
Komiya RFeng YSakurai K(2018)Detecting Distributed Cyber Attacks in SDN Based on Automatic Thresholding2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW.2018.00083(417-423)Online publication date: Nov-2018
https://doi.org/10.1109/CANDARW.2018.00083
Song JLee YChoi JGil JHan JChoi S(2017)Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on DarknetSustainability10.3390/su90202629:2(262)Online publication date: 13-Feb-2017
https://doi.org/10.3390/su9020262
Show More Cited By

Index Terms

nicter: a large-scale network incident analysis system: case studies for understanding threat landscape

Recommendations

nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis
WISTDCS '08: Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing

We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose present focus is on detecting and identifying propagating malwares such as worms, viruses, and bots. The nicter presently monitors darknet, a ...
Correlation Analysis between Spamming Botnets and Malware Infected Hosts
SAINT '11: Proceedings of the 2011 IEEE/IPSJ International Symposium on Applications and the Internet

Many of recent cyber attacks are being launched by botnets for the purpose of carrying out large-scale cyber attacks such as spam emails, Distributed Denial of Service (DDoS), network scanning and so on. In many cases, these botnets consist of a lot of ...
Analysis of a Botnet Takeover

Botnets, networks of malware-infected machines (bots) that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

BADGERS '11: Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security

April 2011

111 pages

ISBN:9781450307680

DOI:10.1145/1978672

Program Chairs:
Engin Kirda
Northeastern University
,
Thorsten Holz
Ruhr-University Bochum

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGOPS: ACM Special Interest Group on Operating Systems

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 April 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

EuroSys '11

Sponsor:

SIGOPS

EuroSys '11: Sixth EuroSys Conference 2011

April 10, 2011

Salzburg, Austria

Acceptance Rates

Overall Acceptance Rate 4 of 7 submissions, 57%

Upcoming Conference

EuroSys '25

Sponsor:
sigops

Twentieth European Conference on Computer Systems

March 30 - April 3, 2025

Rotterdam , Netherlands

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
410
Total Downloads

Downloads (Last 12 months)6
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Imamura MOmote K(2019)Network Deployments of Bitcoin Peers and Malicious Nodes Based on Darknet SensorG Protein-Coupled Receptor Signaling10.1007/978-3-030-17982-3_10(117-128)Online publication date: 12-Apr-2019
https://doi.org/10.1007/978-3-030-17982-3_10
Komiya RFeng YSakurai K(2018)Detecting Distributed Cyber Attacks in SDN Based on Automatic Thresholding2018 Sixth International Symposium on Computing and Networking Workshops (CANDARW)10.1109/CANDARW.2018.00083(417-423)Online publication date: Nov-2018
https://doi.org/10.1109/CANDARW.2018.00083
Song JLee YChoi JGil JHan JChoi S(2017)Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on DarknetSustainability10.3390/su90202629:2(262)Online publication date: 13-Feb-2017
https://doi.org/10.3390/su9020262
Feng YHori YSakurai K(2017)A Behavior-Based Online Engine for Detecting Distributed Cyber-AttacksInformation Security Applications10.1007/978-3-319-56549-1_7(79-89)Online publication date: 30-Mar-2017
https://doi.org/10.1007/978-3-319-56549-1_7
Pa YSuzuki SYoshioka KMatsumoto TKasama TRossow C(2016)IoTPOT: A Novel Honeypot for Revealing Current IoT ThreatsJournal of Information Processing10.2197/ipsjjip.24.52224:3(522-533)Online publication date: 2016
https://doi.org/10.2197/ipsjjip.24.522
Narita MKamada KOgura KBista BTakata T(2016)A Study of Packet Sampling Methods for Protecting Sensors Deployed on Darknet2016 19th International Conference on Network-Based Information Systems (NBiS)10.1109/NBiS.2016.37(76-83)Online publication date: Sep-2016
https://doi.org/10.1109/NBiS.2016.37
Fachkha CDebbabi M(2016)Darknet as a Source of Cyber Intelligence: Survey, Taxonomy, and CharacterizationIEEE Communications Surveys & Tutorials10.1109/COMST.2015.249769018:2(1197-1227)Online publication date: Oct-2017
https://doi.org/10.1109/COMST.2015.2497690
Haga YSaso AMori TGoto S(2015)Increasing the Darkness of Darknet Traffic2015 IEEE Global Communications Conference (GLOBECOM)10.1109/GLOCOM.2015.7416973(1-7)Online publication date: Dec-2015
https://doi.org/10.1109/GLOCOM.2015.7416973
Feng YHori YSakurai K(2015)A Proposal for Detecting Distributed Cyber-Attacks Using Automatic ThresholdingProceedings of the 2015 10th Asia Joint Conference on Information Security10.1109/AsiaJCIS.2015.22(152-159)Online publication date: 24-May-2015
https://dl.acm.org/doi/10.1109/AsiaJCIS.2015.22
Narita MOgura KBista BTakata T(2014)Evaluating a Dynamic Internet Threat Monitoring Method for Preventing PN Code-Based Localization AttackProceedings of the 2014 17th International Conference on Network-Based Information Systems10.1109/NBiS.2014.57(271-278)Online publication date: 10-Sep-2014
https://dl.acm.org/doi/10.1109/NBiS.2014.57
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents