MalSpot: Multi2 Malicious Network Behavior Patterns Analysis
- 2.7k Downloads
What are the patterns that typical network attackers exhibit? For a given malicious network behaviors, are its attacks spread uniformly over time? In this work, we develop MalSpot multi-resolution and multi-linear (Multi2) network analysis system in order to discover such malicious patterns, so that we can use them later for attack detection, when attacks are concurrent with legitimate traffic. We designed and deployed MalSpot which employs multi-linear analysis with different time resolutions, running on top of MapReduce (Hadoop), and we identify patterns across attackers, attacked institutions and variation of time scales. We collect over a terabyte of proven malicious traces (along with benign ones), from the Taiwanese government security operation center (G-SOC) , during the entire year of 2012. We showcase the effectiveness of MalSpot by discovering interesting patterns and anomalies on this enormous dataset. We observed static and time-evolving patterns, that a vast majority of the known malicious behavior seem to follow.
Keywordsmulti-resolution tensor anmoaly detection multi-linear uncorrelated levels
Unable to display preview. Download preview PDF.
- 1.Dainotti, A.: Analysis of a “/0” stealth scan from a botnet. In: IMC 2012 (2012)Google Scholar
- 2.Sun, J., Papadimitriou, S., Yu, P.S.: Window-based tensor analysis on high-dimensional and multi-aspect streams. In: ICDM, pp. 1076–1080 (2006)Google Scholar
- 3.Maruhashi, K., Guo, F., Faloutsos, C.: Multiaspectforensics: Pattern mining on large-scale heterogeneous networks with tensor analysis. In: ASONAM 2011 (2011)Google Scholar
- 4.Kishino, Y., Sakurai, Y., Yanagisawa, Y., Suyama, T., Naya, F.: Svd-based hierarchical data gathering for environmental monitoring. In: Proceedings of the 2013 ACM Conference on Pervasive and Ubiquitous Computing Adjunct Publication, UbiComp 2013 Adjunct, pp. 9–12. ACM, New York (2013)CrossRefGoogle Scholar
- 6.Kolda, T., Sun, J.: Scalable tensor decompositions for multi-aspect data mining. In: ICDM (2008)Google Scholar
- 7.Koutra, D., Papalexakis, E.E., Faloutsos, C.: Tensorsplat: Spotting latent anomalies in time. In: 2012 16th Panhellenic Conference on Informatics (PCI), pp. 144–149. IEEE (2012)Google Scholar
- 8.Chen, L.-M., Chen, M.-C., Liao, W., Sun, Y.S.: A scalable network forensics mechanism for stealthy self-propagating attacks. Computer Communications (2013)Google Scholar
- 10.Matsubara, Y., Sakurai, Y., Faloutsos, C., Iwata, T., Yoshikawa, M.: Fast mining and forecasting of complex time-stamped events. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2012, pp. 271–279. ACM, New York (2012)Google Scholar
- 13.Kang, U., Papalexakis, E., Harpale, A., Faloutsos, C.: Gigatensor: scaling tensor analysis up by 100 times - algorithms and discoveries. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2012, pp. 316–324. ACM, New York (2012)Google Scholar