Rack of Ethernet switches.

Textual Analysis for Network Attack Recognition
Background

The Background of the Threat

"Am I being attacked?"

Uh, are you connected to the Internet using a publicly routable IP address and not hidden behind Network Address Translation (NAT)? If so, then yes, you are being attacked. Expect at least thousands of attacks per day. Far more if your IP address block is of interest to hackers. For instance, if you have a high bandwidth connection to the Internet backbone then your systems would be very useful to the hackers. Or if you are an attractive target (e.g., military, government) then an exploit would be great bragging rights for the hacker.

Now, which of those great many attacks should we care about?

Some attackers take a "spray and pray" approach — they download some attack software and unleash it against a wide range of IP addresses with all the options turned on. They're annoying and a little bit dangerous, but they aren't a seriously focused threat. They're analogous to people who randomly fire guns into the air (Afghan wedding attendees, Sudanese thugs, Detroit residents). They're a little bit dangerous and we wish we could make them stop, but the damage they cause is almost by accident. Unfortunately, the nature of the Internet is that it is one enormous and rather dangerous neighborhood and we have no control over our neighbors' identities or actions.

Much of the attackers' effort is wasted because their attacks are irrelevant. You're running a Unix server but they're irrelevantly trying to break into your non-existent MS-SQL service or send you Windows pop-up messages.

The more dangerous (and therefore more interesting) threat is the one targeting a network service you run and attacking it in an organized way.

What's especially interesting is when you see what seems to be the same attack coming from multiple machines at different times. Is this just one especially motivated attacker using many network resources? Possibly, although if the attack failed six weeks ago then what would make it work today? This more likely is the sign of either spreading malware or unintended duplication of effort within an organization of attackers. This study is an attempt to detect this phenomenon.


To The Security Page