# A Characterization of Cybersecurity Posture from Network Telescope Data

## Abstract

Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA’s network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims (i.e., telescope IP addresses that are attacked), the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of *sweep-time*, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers (and attacks) from a certain country dominates the total number of attackers (and attacks) that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope.

## Keywords

Cybersecurity data analytics Cybersecurity posture Network telescope Network blackhole Darknet Cyber attack sweep-time Time series data## Notes

### Acknowledgement

We thank CAIDA for sharing with us the data analyzed in the paper. This work was supported in part by ARO Grant #W911NF-13-1-0141 and NSF Grant #1111925.

## Supplementary material

## References

- 1.Allman, M., Paxson, V., Terrell, J.: A brief history of scanning. In: Proceedings of ACM IMC 2007, pp. 77–82 (2007)Google Scholar
- 2.Armstrong, J.S.: Principles of Forecasting: A Handbook for Researchers and Practitioners, vol. 30. Springer, New York (2001)Google Scholar
- 3.Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: Proceedings of 2006 Annual Conference on Information Sciences and Systems, pp. 1496–1501 (2006)Google Scholar
- 4.Bailey, M., Cooke, E., Jahanian, F., Watson, D.: The blaster worm: then and now. IEEE Secur. Priv.
**3**(4), 26–31 (2005)CrossRefGoogle Scholar - 5.Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The internet motion sensor-a distributed blackhole monitoring system. In: Proceedings of NDSS 2005 (2005)Google Scholar
- 6.Barford, P., Chen, Y., Goyal, A., Li, Z., Paxson, V., Yegneswaran, V.: Employing honeynets for network situational awareness. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness. Advances in Information Security, vol. 46, pp. 71–102. Springer, New York (2010)CrossRefGoogle Scholar
- 7.Brownlee, N.: One-way traffic monitoring with iatmon. In: Proceedings of PAM 2012, pp. 179–188 (2012)Google Scholar
- 8.Claffy, K., Braun, H., Polyzos, G.: A parameterizable methodology for internet traffic flow profiling. IEEE J. Sel. Areas Commun.
**13**(8), 1481–1494 (1995)CrossRefGoogle Scholar - 9.Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-law distributions in empirical data. SIAM Rev.
**51**(4), 661–703 (2009)zbMATHMathSciNetCrossRefGoogle Scholar - 10.Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of ACM Worm 2004, pp. 54–64 (2004)Google Scholar
- 11.Cryer, J., Chan, K.: Time Series Analysis With Applications in R. Springer, New York (2008)zbMATHCrossRefGoogle Scholar
- 12.Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Proceedings of ACM IMC 2012, pp. 1–14 (2012)Google Scholar
- 13.Engle, R.F.: Autoregressive conditional heteroscedasticity with estimates of the variance of united kingdom inflation. Econometrica: J. Econometric Soc.
**50**(4), 987–1007 (1982)zbMATHMathSciNetCrossRefGoogle Scholar - 14.Giorgino, T.: Computing and visualizing dynamic time warping alignments in R: the dtw package. J. Stat. Softw.
**31**(7), 1–24 (2009)CrossRefGoogle Scholar - 15.Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proceedings of ACM IMC 2012, pp. 37–50 (2012)Google Scholar
- 16.Gringoli, F., Salgarelli, L., Dusi, M., Cascarano, N., Risso, F., Claffy, K.: Gt: picking up the truth from the ground for internet traffic. SIGCOMM Comput. Commun. Rev.
**39**(5), 12–18 (2009)CrossRefGoogle Scholar - 17.Hussain, A., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: Proceedings of ACM SIGCOMM 2003, pp. 99–110 (2003)Google Scholar
- 18.Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev.
**34**(1), 51–56 (2004)CrossRefGoogle Scholar - 19.Lau, F., Rubin, S.H., Smith, M.H., Trajkovic, L.: Distributed denial of service attacks. In: Proceedings of 2000 IEEE International Conference on Systems, Man, and Cybernetics, vol. 3, pp. 2275–2280 (2000)Google Scholar
- 20.Lee, D.J., Brownlee, N.: Passive measurement of one-way and two-way flow lifetimes. SIGCOMM Comput. Commun. Rev.
**37**(3), 17–28 (2007)CrossRefGoogle Scholar - 21.Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur.
**6**(1), 175–188 (2011)CrossRefGoogle Scholar - 22.Li, Z., Goyal, A., Chen, Y., Kuzmanovic, A.: Measurement and diagnosis of address misconfigured p2p traffic. IEEE Netw.
**25**(3), 22–28 (2011)CrossRefGoogle Scholar - 23.Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Secur. Priv.
**1**(4), 33–39 (2003)CrossRefGoogle Scholar - 24.Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst.
**24**(2), 115–139 (2006)CrossRefGoogle Scholar - 25.Moore, D., Shannon, C., Brown, J.: Code-red: a case study on the spread and victims of an Internet worm. In: Proceedings of ACM IMW 2002, pp. 273–284 (2002)Google Scholar
- 26.Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes, Technical report. Department of Computer Science and Engineering, University of California, San Diego (2004)Google Scholar
- 27.Neter, J., Kutner, M.H., Nachtsheim, C.J., Wasserman, W.: Applied linear statistical models, vol. 4. Irwin, Chicago (1996)Google Scholar
- 28.Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of ACM IMC 2004, pp. 27–40 (2004)Google Scholar
- 29.Provos, N.: A virtual honeypot framework. In: Proceedings of USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
- 30.Shannon, C., Moore, D.: The spread of the witty worm. IEEE Secur. Priv.
**2**(4), 46–50 (2004)CrossRefGoogle Scholar - 31.CAIDA UCSD Network Telescope. http://www.caida.org/
- 32.CAIDA UCSD Network Telescope. http://www.caida.org/tools/measurement/corsaro/docs/plugins.html
- 33.Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw.
**19**(5), 1396–1404 (2011)CrossRefGoogle Scholar - 34.Tsay, R.S.: Analysis of Financial Time Series. Wiley, New york (2010)zbMATHCrossRefGoogle Scholar
- 35.Weiler, N.: Honeypots for distributed denial-of-service attacks. In: Proceedings of IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET-ICE 2002), pp. 109–114 (2002)Google Scholar
- 36.Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of ACM IMC 2010, pp. 62–74 (2010)Google Scholar
- 37.Yegneswaran, V., Giffin, J., Barford, P., Jha, S.: An architecture for generating semantic aware signatures. In: Proceedings of Usenix Security Symposium (2005)Google Scholar
- 38.Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004) CrossRefGoogle Scholar
- 39.Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of ACM SIGMETRICS 2003, pp. 138–147 (2003)Google Scholar
- 40.Zhan, Z., Xu, M., Xu, S.: Characterizing honeypot-captured cyber attacks: statistical framework and case study. IEEE Trans. Inf. Forensics Secur.
**8**(11), 1775–1789 (2013)CrossRefGoogle Scholar