Correlation of Massively Distributed Scanners

Abstract

Cyber attacks have become increasingly more prominent and the associated cost to society is by several estimates reaching trillions of US dollars. A typical cyber attack goes
through the several consecutive phases of the cyber kill chain. As a precursor for any attack, the malicious actor performs network reconnaissance in order to identify potential
entry points through exploitable services connected to the internet. Therefore, early detection of reconnaissance by scanners can mitigate or entirely prevent future attacks. Modern
intrusion detection systems are capable of blocking some scan attempts. However, more sophisticated and resourceful attackers are suspected to distribute their efforts over a large number of sources. This allows them to lower the individual scanrate while achieving the same throughput. Slow scanners are harder to detect, because they differentiate little from baseline noise levels. Additionally, a threat is severely underestimated if a large number collaborating scanners is not treated as a single entity. Therefore, the aim of this thesis is to infer such a coordinated relationship between scanners controlled by a single initiator.

We analyse the data from a network telescope with an observation of one year, much longer than previous work. Initial analysis led to the discovery of similar long-term activity patterns present in distributed scanners. These patterns can be used to uniquely identify a group which formed the basis for the correlation algorithm. We were successfully able to detect a large number of clusters employing various strategies in terms of size, scanrate and targeted services. Due to the absence of ground truth additional effort has been spent to validate potential clusters through other characteristics. We also demonstrate the utility of transforming the raw telescope data for cluster analysis through a case study of very slow scanners.