Doctoral Thesis Defense: Elias Bou-Harb

Speaker: Elias Bou-Harb

Supervisor: Drs. C. Assi, M. Debbabi

Supervisory Committee: Drs. J. Bentahar, T. Eavis, D. Qiu, N. Zincir-Yeywood, S. Tahar (Chair)

Title:  Approaches and Techniques for Fingerprinting and Attributing Probing Activities by Observing Network Telescopes

Date: Thursday, June 25, 2015

Time: 13:00

Place: EV 1.162

ABSTRACT

The explosive growth, complexity, adoption and dynamism of cyberspace over the last decade has radically altered the globe. A plethora of nations have been at the very forefront of this change, fully embracing the opportunities provided by the advancements in science and technology in order to fortify the economy and to increase the productivity of everyday's life. However, the significant dependence on cyberspace has indeed brought new risks that often compromise, exploit and damage invaluable data and systems. Thus, the capability to proactively infer malicious activities is of paramount importance. In this context, generating cyber threat intelligence related to probing or scanning activities render an effective tactic to achieve the latter.

In this thesis, we investigate such malicious activities, which are typically the precursors of various amplified, debilitating and disrupting cyber attacks. To achieve this task, we analyze real Internet-scale traffic targeting network telescopes or darknets, which are defined by routable, allocated yet unused Internet Protocol addresses.

First, we present a comprehensive survey of the entire probing topic. Specifically, we categorize this topic by elaborating on the nature, strategies and approaches of such probing activities. Second, we focus on the problem of fingerprinting probing activities. To this end, we design, develop and validate approaches that can identify such activities targeting enterprise networks as well as those targeting the Internet space. Third, for attribution purposes, we propose a correlation approach that fuses probing activities with real malware samples. In this context, we also devise a probabilistic model to filter out darknet misconfiguration traffic. Fourth, we focus on the problem of identifying and attributing large-scale probing campaigns, which render a new era of probing events. To this end, we propose and validate three approaches. On one hand, two of the approaches rely on a set of behavioral analytics that aim at scrutinizing the generated traffic by the probing sources. Subsequently, they employ data mining and graph theoretic techniques to systematically cluster the probing sources into well-defined campaigns. The third approach, on the other hand, exploits formal time series interpolation and prediction techniques to pinpoint orchestrated probing campaigns and to filter out non-coordinated probing flows. We conclude this thesis by pinpointing some research gaps that pave the way for future work.