nicter: a large-scale network incident analysis system: case studies for understanding threat landscape

Authors:
Masashi Eto;Daisuke Inoue;Jungsuk Song;Junji Nakazato;Kazuhiro Ohtaka;Koji Nakao
Affiliations:
National Institute of Information and Communications Technology;National Institute of Information and Communications Technology;National Institute of Information and Communications Technology;National Institute of Information and Communications Technology;National Institute of Information and Communications Technology;National Institute of Information and Communications Technology
Venue:
Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
Year:
2011

Citing 6
Cited 2

Hotspots: The Root Causes of Non-Uniformity in Self-Propagating Malware

DSN '06 Proceedings of the International Conference on Dependable Systems and Networks
Lessons learned from the deployment of a high-interaction honeypot

EDCC '06 Proceedings of the Sixth European Dependable Computing Conference
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Toward Automated Dynamic Malware Analysis Using CWSandbox

IEEE Security and Privacy
nicter: An Incident Analysis System Toward Binding Network Monitoring with Malware Analysis

WISTDCS '08 Proceedings of the 2008 WOMBAT Workshop on Information Security Threats Data Collection and Sharing
Automatic handling of protocol dependencies and reaction to 0-day attacks with scriptgen based honeypots

RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection

A malware collection and analysis framework based on darknet traffic

ICONIP'12 Proceedings of the 19th international conference on Neural Information Processing - Volume Part II
Collaborative behavior visualization and its detection by observing darknet traffic

CSS'12 Proceedings of the 4th international conference on Cyberspace Safety and Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We have been developing the Network Incident analysis Center for Tactical Emergency Response (nicter), whose objective is to detect and identify propagating malwares. The nicter mainly monitors darknet, a set of unused IP addresses, to observe global trends of network threats, while it captures and analyzes malware executables. By correlating the network threats with analysis results of malware, the nicter identifies the root causes (malwares) of the detected network threats. Through a long-term operation of the nicter for more than five years, we have achieved some key findings that would help us to understand the intentions of attackers and the comprehensive threat landscape of the Internet. With a focus on a well-knwon malware, i. e., W32.Downadup, this paper provides some practical case studies with considerations and consequently we could obtain a threat landscape that more than 60% of attacking hosts observed in our dark-net could be infected by W32.Downadup. As an evaluation, we confirmed that the result of the correlation analysis was correct in a rate of 86.18%.