Threats Intelligence: A Multi-Viewpoints Approach to Acquire Knowledge on Internet Threats
Olivier Thonnard, Royal Military Academy, Belgium
Marc Dacier, Symantec Research Labs, France
Today, the security community is concerned by the highly organized structure and the apparent professionalism of malicious activities on the Internet. Script-kiddies seem to leave place for another breed of cybercriminals whose motivation is grounded in financial gain. As a consequence, a new underground economy is appearing, offering commoditization of activities such as the sale of 0-day exploits and new yet-undetected malware, the sale of compromised hosts, spamming, phishing, etc. This leads to the observation of increasingly coordinated attack activities, which are often related to botnets, stealthy multi-headed worms or other sophisticated emerging threats. Client's applications, typically webbrowsers, become also a common infection vector for propagating new malwares that in turn aim at scanning and recruiting more vulnerable machines into zombie armies, which seem to be the preferred weapon of cybercriminals today.
There are certainly several data collection initiatives that offer plausible indicators supporting those claims. However, these data sources are often built in an ad-hoc way to study a specic problem. They are rarely publicly available and typically span over limited periods of time. This makes the correlation of findings across data sources very difficult, if not impossible. Furthermore, we do lack rigorous experimental processes to collect and, more importantly, to analyze the data. In fact, the security community seems to lack two important things regarding threats evaluation: i) unbiased, meaningful and publicly available data about Internet threats, and ii) global threat analysis techniques that can offer real scientic answers to open questions and speculations circulating in the community.
The recently EC funded project WOMBAT (www.wombat-project.org) aims at tackling some of these issues. In the context of this presentation, we propose to present a method developed within that project that aims at assessing the prevalence of those new cybercriminal activities on the Internet. We are developing tools that could allow us to infer facts about the modus operandi of attack processes, preferably in an automated fashion. To illustrate this approach, in this presentation we will take advantage of a dataset of real-world attack traces collected since 2003 with a worldwide distributed set of honeypot sensors. This system has been built and is maintained by EURECOM, one of the partners in the WOMBAT consortium. Around 50 sensors have been deployed in more than 30 countries covering the five continents.
To study this dataset, a novel multi-viewpoint analysis tool based on packet clustering, data mining and attack patterns correlation has been developed. The tool enables the extraction of interesting knowledge and hidden patterns from this large traffic database. Central to our approach is the capability to correlate network traces by creating attack patterns according to many different dimensions, among which one can mention the geographical origin of the attacking machines, the network blocks and ISP's involved in the attacks, the temporal patterns of the attacks, etc. We present some experimental results related to the analysis of attack processes observed on these sensors, i.e.: what are the general trends of those attacks, what are their plausible root causes, and which type of activities seem to be nicely coordinated in time and space. More generally, we talk about the lessons learned from the worldwide deployment of those sensors and we show how these techniques could be generalized to facilitate the global analysis and hence the better understanding of Internet threats. Those important issues have been identified as key objectives of the WOMBAT project, the ultimate goal of which is to provide means to understand the existing and emerging threats that are targeting the Internet economy and the net citizens. The acquired knowledge of this project is to be shared with all interested security actors (ISPs, CERTs, security vendors, etc.), enabling them to make sound security investment decisions and to focus on the most dangerous activities first. It is also worth mentioning that interested partners are welcome to join this worldwide collection of data. By doing so, they will not only gain access to the whole dataset gathered so far but also to the various analysis tools developed in that context, including the ones presented in the context of this presentation.