Uncovering periodic network signals of cyber attacks

Abstract: This paper addresses the problem of detecting the presence of malware that leave periodic traces in network traffic. This characteristic behavior of malware was found to be surprisingly prevalent in a parallel study. To this end, we propose a visual analytics solution that supports both automatic detection and manual inspection of periodic signals hidden in network traffic. The detected periodic signals are visually verified in an overview using a circular graph and two stacked histograms as well as in detail … Show more

“…Our work is most similar to Huynh et al [2]. They use Fourier analysis to identify periodic activity in netflow, and interactive visualization to explore alerts and temporal patterns.…”

“…In the case of applying our periodicity detection algorithm to netflow logs for the purpose of identifying unexpected automated behavior, we define an entity to be the 4-tuple (Source IP, Destination IP, Protocol, Destination Port), and the time series of interest to be the total number of bytes transferred during the flow initiated in the given time bin, with these values being aggregated over time bins by taking the sum (that is, agg = sum for this use case). Note that while flows are often analyzed at the level of the 5-tuple including Source Port (as in [2], for example), we have found that aggregating over all source ports is useful in detecting meaningful automated activity, as source ports for automated activity often differ with each connection. Alternative entity definitions that we have experimented with for netflow analysis include replacing Source and Destination IPs with Company ASNs (to account for automated activity to/from a given range of IPs where the individual IP varies over time), replacing Destination port with min(Source Port, Destination Port) to better…”

“…Nearly all studies conducting spectral analysis of network logs for the purpose of intrusion detection use datasets where known "attack" time series are artificially overlaid on top of (either real or synthetic) benign network traffic [2,5,9,12], allowing for algorithmic design to be tailored to the characteristics of the known malicious signal. By contrast, we apply our algorithm to network logs obtained from a large partner organization, where presence of attacks, as well as instances of benign periodic activity, are unknown and unlabeled, and which exhibit larger volumes of automated traffic than can be parsed through manually to separate malicious from benign.…”

“…The above modifications would help analysts from all tiers, but to help complete the analysis cycle, we would also like to include the ability for users to inspect packets, similarly to Huynh et al [2]. Alternatively, incorporating functionality to automatically generate a SQL query string that retrieves the original data related to a detection could also help analysts more quickly determine whether a given detection is malicious.…”

“…This can make it challenging to pinpoint the malicious periodic activity amongst non-malicious periodic activity. To address this problem, past research focused on giving users access to deep packet capture data to provide details on demand for each detected periodic signal [2]. However, on networks from large organizations, there will be too many periodic signals to investigate each signal individually.…”

Visualizing Automatically Detected Periodic Network Activity

“…Our work is most similar to Huynh et al [2]. They use Fourier analysis to identify periodic activity in netflow, and interactive visualization to explore alerts and temporal patterns.…”

“…In the case of applying our periodicity detection algorithm to netflow logs for the purpose of identifying unexpected automated behavior, we define an entity to be the 4-tuple (Source IP, Destination IP, Protocol, Destination Port), and the time series of interest to be the total number of bytes transferred during the flow initiated in the given time bin, with these values being aggregated over time bins by taking the sum (that is, agg = sum for this use case). Note that while flows are often analyzed at the level of the 5-tuple including Source Port (as in [2], for example), we have found that aggregating over all source ports is useful in detecting meaningful automated activity, as source ports for automated activity often differ with each connection. Alternative entity definitions that we have experimented with for netflow analysis include replacing Source and Destination IPs with Company ASNs (to account for automated activity to/from a given range of IPs where the individual IP varies over time), replacing Destination port with min(Source Port, Destination Port) to better…”

“…Nearly all studies conducting spectral analysis of network logs for the purpose of intrusion detection use datasets where known "attack" time series are artificially overlaid on top of (either real or synthetic) benign network traffic [2,5,9,12], allowing for algorithmic design to be tailored to the characteristics of the known malicious signal. By contrast, we apply our algorithm to network logs obtained from a large partner organization, where presence of attacks, as well as instances of benign periodic activity, are unknown and unlabeled, and which exhibit larger volumes of automated traffic than can be parsed through manually to separate malicious from benign.…”

“…The above modifications would help analysts from all tiers, but to help complete the analysis cycle, we would also like to include the ability for users to inspect packets, similarly to Huynh et al [2]. Alternatively, incorporating functionality to automatically generate a SQL query string that retrieves the original data related to a detection could also help analysts more quickly determine whether a given detection is malicious.…”

“…This can make it challenging to pinpoint the malicious periodic activity amongst non-malicious periodic activity. To address this problem, past research focused on giving users access to deep packet capture data to provide details on demand for each detected periodic signal [2]. However, on networks from large organizations, there will be too many periodic signals to investigate each signal individually.…”

Visualizing Automatically Detected Periodic Network Activity

Classification of periodic arrivals in event time data for filtering computer network traffic

Communication recurrence and similarity detection in network flows