Practical In-Depth Analysis of IDS Alerts for Tracing and Identifying Potential Attackers on Darknet

: The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet. Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet (‘the darknet trafﬁc’) do not contain a payload. This means that we are unable to get real malware from the darknet trafﬁc. This situation makes it difﬁcult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet trafﬁc are infected by real malware or not. In this paper, we present the overall procedure of the in-depth analysis between the darknet trafﬁc and IDS alerts using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results. The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts so that they are able to identify and trace the root cause of the darknet trafﬁc. The experimental results show that correlation analysis between the darknet trafﬁc and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to ﬁnd out what kinds of malware infected them.


Introduction
The darknet (i.e., a set of unused IP addresses) is a very useful solution for observing the global trends of cyber threats and analyzing attack activities on the Internet.Since the darknet is not connected with real systems, in most cases, the incoming packets on the darknet do not contain a payload.This means that we are unable to get real malware from the darknet traffic.This situation makes it difficult for security experts (e.g., academic researchers, engineers, operators, etc.) to identify whether the source hosts of the darknet traffic are infected by real malware or not.In this paper, the terms 'the source hosts' and 'the source IP addresses' mean all of the real systems connected to the Internet and do not include the darknet.
In our previous work [1,2], we proposed an advanced incident response framework whose main goal is to identify more dangerous IDS alerts [3][4][5][6][7][8][9][10][11][12] using the darknet traffic.In addition, we carried out a practical correlation analysis of IDS alerts and the darknet traffic, focusing on internal hosts that sent packet(s) to the darknet and showed how security operators are able to effectively identify internal attack hosts using the darknet traffic [13].However, we did not provide any detailed information about the attack activities of the internal attack hosts and did not inspect them using security software.Therefore, we were unable to identify the root cause of the attack activities, so that security operators cannot make any response against them.
In this paper, as an expansion of [14], in which we only proposed a methodology for conducting correlation analysis between IDS alerts and the darknet traffic, we present the overall procedure of the in-depth analysis between them using real data collected at the Science and Technology Cyber Security Center (S&T CSC) in Korea and provide the detailed in-depth analysis results.To the best of our knowledge, this is the first challenge to carry out the in-depth analysis for the darknet traffic, as well as IDS alerts.The ultimate goal of this paper is to provide practical experience, insight and know-how to security experts (e.g., academic researchers, engineers, operators, etc.) so that they are able to identify and trace the root cause of the darknet traffic.
Especially, we focus on the internal hosts that sent packets to the darknet and analyze IDS alerts related to the internal hosts.Furthermore, since the internal hosts are under the control of the organization, we inspected them using a dedicated anti-virus software, such that it is able to identify whether they are infected by malware or not.The proposed procedure consists of seven main phases, as described in Section 3: collection, extraction, classification, comparison, correlation analysis, identification and tracing.
In our experiments, we used 16*/24 darknet IP addresses for collecting the darknet traffic and a dedicated IDS [15], which is very similar to Snort [16] and is widely used in Korea, for correlation analysis between them.The experimental results show that correlation analysis between darknet traffic and IDS alerts is very useful to discover potential attack hosts, especially internal hosts, and to find out what kinds of malware (e.g., the name of a known virus or worm, unknown malware, etc.) infected them.
The rest of this paper is organized as follows.In Section 2, we give a brief description for existing approaches based on the darknet.In Section 3, we describe the procedure of the in-depth analysis.In Section 4, we provide experimental results obtained from the Science and Technology Security Center.Finally, we present concluding remarks and suggestions for future work in Section 5.

Related Work
The darknet is being used for studying and developing the countermeasures against malicious activities on the Internet [17][18][19][20][21][22][23][24][25][26][27].For example, Bailey et al. introduced the Internet Motion Sensor (IMS), a globally-scoped Internet monitoring system.The goal of the IMS is to measure, characterize and track threats on the Internet [20,22].Moore et al. introduced a network telescope that is a portion of the routed IP address space [21].By using the network telescope, in that little or no legitimate traffic exists, they examined its utility and effects for measuring both pandemic incidents (the spread of an Internet worm) and endemic incidents (denial-of-service attacks) on the Internet.Nakao et al. introduced a network incident analysis center for tactical emergency response (nicter), which is monitoring around 300,000 unused IP addresses mainly located in Japan [17][18][19].The main objective of the nicter is to carry out correlation analysis between the network threats observed in the darknet and malware executables captured in the various types of honeypots.Most of the existing approaches have mainly focused on only passively observing the darknet traffic to provide statistical information and recent attack trends, such as the rapid change of a certain scanning pattern and the gradual increase of attacks against a certain port, while this paper is aiming at collecting the darknet traffic and carrying out correlation and in-depth analysis with IDS alerts for identifying and tracing the root cause of potential cyber threats.

Overall Procedure of Correlation and In-Depth Analysis
Figure 1 shows the procedure of the proposed correlation and in-depth analysis method of IDS alerts for identifying and tracing potential attackers, i.e., attack hosts, that send attack packets to the darknet.Similar to [14], the procedure is composed of seven main phases: collection, extraction, classification, comparison, correlation analysis, identification and tracing.The each phase of the procedure is as follows.
1. Collection: During the first phase, all of the incoming network traffic whose destination IP addresses are the darknet is captured.2. Extraction: In this phase, all of the source IP addresses that sent attack packets to the darknet are extracted.We call the source IP addresses 'potential attackers'.3. Classification: The potential attackers are classified into two groups: the internal hosts and the external hosts.The former and the latter mean that they are located inside an outside an organization, respectively.4. Comparison: The IDS alerts whose source IP addresses are the same as the internal hosts are extracted by comparing all of the IDS alerts with the internal hosts during the predefined time interval (e.g., one week, one month).5. Correlation analysis: The extracted IDS alerts are used for correlation analysis in that the activities of the internal hosts are analyzed by using many parameters, such as the IP address, port number, protocol, packet size, type of IDS alerts, and so on.6. Identification: The darknet traffic sent by the internal hosts and the corresponding IDS alerts are investigated by security operators so that they are able to identify internal attack hosts from their historical activities.7. Tracing: Finally, the internal attack hosts are inspected by a dedicated anti-virus software so that one is able to find malware installed or running on them.

Correlation Analysis of Darknet Traffic and IDS Alerts
Figure 2 shows the experimental environment.In order to carry out correlation analysis between darknet traffic and IDS alerts, we prepared 16*/24 darknet (i.e., 4080 IP addresses) in Korea and collected all of the darknet traffic during six months (January 2013 to June 2013).Furthermore, we deployed a dedicated IDS in the boundary network of the 16*/24 darknet IP addresses.According to the procedure described in Section 3, we conducted the correlation analysis between all of the incoming darknet traffic and IDS alerts that were raised by a dedicated IDS.
• Extraction: We extracted source IP addresses from the entirety of the darknet traffic.We observed that 300 unique source IP addresses per day sent packets to our darknet on average.• Classification: We then classified the source IP addresses into the internal hosts and the external hosts.After the classification phase, we observed that only eight internal hosts sent attack packets to our darknet.Table 1 shows the overview of the eight internal hosts observed on our darknet and the number of IDS alerts that were caused by the eight internal hosts.Note that we sanitized the IP addresses of the eight internal hosts and organizations for privacy.• Comparison: We extracted the IDS alerts whose source IP addresses are matched to the eight internal hosts.In this comparison phase, we set the time interval to one month for comparing the darknet traffic and the IDS alerts.For example, if an internal host sent packets to the darknet on 15 January, we extracted the IDS alerts whose source IP addresses are the same as the internal host from 1 January to 31 January.As a result, as shown in Table 1, among the eight internal hosts, we can see that seven IP addresses also raised one and more IDS alerts during the predefined time interval, i.e., one month.• Correlation analysis: In our further investigation, we observed that four internal hosts (i.e., the 5th, 6th, 7th and 8th internal hosts in Table 1) raised multiple types (i.e., scanning and web vulnerability) of IDS alerts, while three internal hosts (i.e., the 1st, 2nd and 3rd internal hosts in Table 1) raised a single type of IDS alert (i.e., scanning or web vulnerability).• Identification: From these results, it could be concluded that seven internal hosts were infected by one and more malware, and consequently, they triggered many IDS alerts with different types; and their malicious activities were also observed on the darknet.Figures 3-9 show the IDS alerts related to the seven internal hosts (i.e., the 1st, 2nd, 3rd, 5th, 6th, 7th and 8th) that sent packets to the darknet and also raised one or more IDS alerts.In Figures 3-9, the horizontal axis means the time, and the orange square boxes indicate the detection time of packets observed on the darknet.The Arabic numeral in the colored square boxes (e.g., blue, red, green, purple, etc.) indicates the number of IDS alerts that were triggered by the seven internal hosts, i.e., potential attackers.Furthermore, the color of the square boxes represents the type of IDS alerts.Furthermore, Tables 2-8 show the additional information (i.e., detection time, protocol, source and destination ports, packet size) for the corresponding internal hosts, i.e., the 1st, 2nd, 3rd, 5th, 6th, 7th and 8th, respectively.
From Figure 3, we can see that the first internal host raised one type of IDS alert.The name of the IDS alerts is "netbios xxxx smb Transaction".Note that we sanitized the name of IDS alerts due to security.The first internal host raised 19 IDS alerts before the detection time (i.e., 15 January) of darknet traffic.From Table 2, the first internal host used the TCP protocol, and the darknet traffic was destined to port 1925, while the IDS alerts were destined to many different ports.The packet sizes of darknet traffic and the IDS alerts were 304 and 846 bytes.From Figure 4, we can see that the second internal host raised one type of IDS alert.The name of the IDS alert is "udpflooding".The second internal host raised many IDS alerts constantly before the detection time (i.e., 15 January) of darknet traffic.From Table 3, the second internal host used the UDP protocol, and the darknet traffic was destined to port 34902, while the IDS alerts were destined to many different ports.The packet size of darknet traffic was 352 bytes, while the IDS alerts have many different sizes of packets.From Figure 5, we can see that the third internal host raised one type of IDS alert.The name of IDS alerts is "udp flooding".The third internal host raised 31 IDS alerts after the detection time (i.e., 23 January) of darknet traffic.From Table 4, the third internal host used the UDP protocol, and the darknet traffic was destined to port 47684, while the IDS alerts were destined to many different ports.The packet size of darknet traffic was 352 bytes, while the IDS alerts have many different sizes of packets.From Figure 6, we can see that the fifth internal host raised four types of IDS alerts.The names of the IDS alerts are "udp flooding", "trojan.xxxxmalicious", "MicroSoft (MS)xxxx vulnerability" and "http xxxx remote".The fifth internal host raised 24 IDS alerts before the detection time (i.e., 15 February) of darknet traffic.From Table 5, the fifth internal host used UDP and the TCP protocol, and the darknet traffic was destined to port 16609, while the IDS alerts were destined to many different ports, including 16609.The packet size of darknet traffic was 352 bytes, while the IDS alerts have many different sizes of packets.From Figure 7, we can easily see that the sixth internal host raised seven different types of IDS alerts.Particularly, two alerts (i.e., "http xxx sqlinjection" and "udp port scan") were recorded before the detection time (i.e., 31 March) of darknet traffic, while four alerts (i.e., "Trojan.xxxxmalicious", "MS xxxx vulnerability", "http PHP xxxx SQL Injection" and "dos xxxx agent ping") were raised after the detection time of darknet traffic.From Table 6, the sixth internal host used UDP and the TCP protocol, and the darknet traffic was destined to port 50226, while the IDS alerts were destined to many different ports, including 50226.The packet size of darknet traffic was 352 bytes, while the IDS alerts have many different sizes of packets.From Figure 8, we can see that the seventh internal host raised four types of IDS alerts.The names of IDS alerts are "udp flooding", "trojan.xxxxmalicious", "dos xxxx agent ping" and "udp port scan".The seventh internal host raised many IDS alerts before and after the detection time (i.e., 4 April) of darknet traffic.From Table 7, the seventh internal host used UDP and the TCP protocol, and the darknet traffic was destined to port 15730, while the IDS alerts were destined to many different ports, including 15730.The packet size of darknet traffic was 352 bytes, while the IDS alerts have many different sizes of packets.From Figure 9, we can see that the eight internal host raised six different types of IDS alerts.Especially, four alerts (i.e., "udp port scan", "dos xxxx agent ping", "dosxxxx agent ping 2" and "malware-hacking-mail") were recorded before the detection time (i.e., 11 May) of darknet traffic, while one alert (i.e., "http web attack tool") was triggered after the detection time of darknet traffic.From Table 8, the eight internal host used UDP and the TCP protocol, and the darknet traffic was destined to port 46201, while the IDS alerts were destined to many different ports, including 46201.The packet size of darknet traffic was 248 bytes, while the IDS alerts have many different sizes of packets.In addition, from Figures 3, 4 and 7-9, we can easily see that 'udp flooding' IDS alerts were raised during a long period of time.As a result, from these results, we can conclude that if an internal host sends any packet(s) to the darknet, it was already compromised by some malware.Therefore, it is strongly recommended to have a response against the internal host, such as blocking the IP address, removing the malware using security software, and so on.

Tracing and Identifying Potential Attackers
In order to carry out the in-depth analysis of potential attackers, i.e., attack hosts, that sent packets to the darknet, we prepared more experimental data collected from the same experimental environment in Figure 2. Similar to the correlation analysis in Section 4.1, we also deployed a dedicated IDS in the boundary network of the 16*/24 darknet IP addresses.We used the darknet traffic and IDS alerts of two months (September 2013 to October 2013) for tracing and identifying potential attackers from them.
According to the procedure described in Section 3, we conducted the in-depth analysis between all of the incoming darknet traffic and IDS alerts that were raised by the dedicated IDS.
• Extraction: We extracted source IP addresses from the entire darknet traffic.
• Classification: We then classified the source IP addresses into the internal hosts and the external hosts.After the classification phase, we observed that only 17 internal hosts sent attack packets to our darknet.Table 9 shows the overview of 17 internal hosts observed on our darknet.Note that we sanitized the IP addresses of the 17 internal hosts and organizations for privacy.• Comparison: We extracted the IDS alerts whose source IP addresses are matched to the 17 internal hosts.In this comparison phase, we set the time interval between darknet traffic and the IDS alerts as one month.For example, if an internal host sent packets to the darknet on 16 September, we extracted the IDS alerts whose source IP addresses are the same as the internal host from 1 September to 1 October.As a result, as shown in Table 10, among the 17 internal hosts, we can see that five IP addresses (i.e., internal attack hosts) also raised one and more IDS alerts during one month.• Correlation analysis: In our further investigation, we observed that one internal host raised multiple types of IDS alerts, while four internal hosts raised a single type of IDS alerts.• Identification and tracing: We run anti-virus software to identify and trace malware on the five internal attack hosts.As a result, we observed that two attack hosts (i.e., the third and ninth in Table 9) were infected with 30 and 144 different types of malware; while the anti-virus software could not detect any malware from the other hosts (i.e., the 11th, 12th and 16th in Table 9).From these results, it could be concluded that two internal attack hosts were infected by many malwares, and consequently, they triggered many IDS alerts with different types; and their malicious activities were also observed on the darknet.Furthermore, there is a high possibility that the other three internal hosts were infected by unknown malwares that were not detected by the anti-virus software.Since the darknet traffic itself is caused by malicious activities, if the dedicated IDS records the corresponding security events, they also can be regarded as true positives, not false positives.The Arabic numeral in the colored square boxes (e.g., blue, red, green, purple, etc.) indicates the number of IDS alerts that were triggered by the five internal attack hosts.The color of the square boxes represents the type of IDS alert.Tables 11-15 show the additional information (i.e., detection time, protocol, source and destination ports, packet size) for the corresponding internal attack hosts, i.e., the 3rd, 9th, 11th, 12th and 19th, respectively.From Figure 10, we can see that the third internal attack host raised one type of IDS alert.The name of IDS alert is "udp flooding".The third internal attack host raised 28 IDS alerts before the detection time (i.e., 16 September) of darknet traffic.Figure 11 shows the examples of the "udp flooding" alerts.Note that we sanitized the name of the IDS alerts and the IP addresses for security.From Table 11, the third internal attack host used the UDP protocol, and the darknet traffic and the IDS alerts were destined to many different ports.The packet size of darknet traffic was 316 bytes, while the IDS alerts have many different sizes of packets.In addition, as described in Table 9, the anti-virus software detected 30 different types of malware on the third internal attack host.
From Figure 12, we can see that the ninth internal attack host raised one type of IDS alert.The name of IDS alert is "DNS Sinkhole".The ninth internal attack host raised 10 IDS alerts after the detection time (i.e., 30 September) of darknet traffic.Figure 13 shows the examples of the "DNS Sinkhole" alerts.From Table 12, the ninth internal attack host used TCP protocol, and the darknet traffic was destined to many different ports, while the destination ports of the IDS alerts were 5218 and 217.The packet size of darknet traffic was 264 bytes, while the IDS alerts have many different sizes of packets.In addition, as described in Table 9, the anti-virus software detected 144 different types of malwares on the ninth internal attack host.From Figure 14, we can see that the 11th internal attack host raised one type of IDS alerts.The name of the IDS alert is "trojan.xxxxmalicious".The 11th internal attack host raised six IDS alerts before and after the detection time (i.e., 8 October) of darknet traffic.Figure 15 shows the examples of the "trojan.xxxxmalicious" alerts.From Table 13, the 11th internal attack host used UDP and the TCP protocol, and the darknet traffic was destined to port 5489, while IDS alerts were destined to many different ports.The packet size of darknet traffic was 556 bytes, while the IDS alerts have many different sizes of packets.In addition, as described in Table 9, the anti-virus software could not detect any malware on the 11th internal attack host.This means that the 11th internal attack host was compromised by unknown malware.From Figure 16, we can see that the 12th internal attack host raised three types of IDS alerts.The names of IDS alerts are "udp flooding", "trojan.xxxxmalicious" and "http sql injection".The 12th internal attack host raised many IDS alerts before and after the detection time (i.e., 8 October) of darknet traffic.Figure 17 shows the examples of the "udp flooding", "trojan.xxxxmalicious" and "http sql injection" alerts.From Table 14, the 12th internal attack host used UDP and the TCP protocol, and the darknet traffic was destined to port 5489, while IDS alerts were destined to many different ports.The packet size of darknet traffic was 556 bytes, while the IDS alerts have many different sizes of packets.In addition, as described in Table 9, the anti-virus software could not detect any malware on the 12th internal attack host.This means that the 12th internal attack host was infected by unknown malware.From Figure 18, we can see that the 16th internal attack host raised one type of IDS alert.The name of the IDS alert is "trojan.xxxxmalicious".The 16th internal attack host raised five IDS alerts before the detection time (i.e., 17 October) of darknet traffic.Figure 19 shows the examples of the "trojan.xxxxmalicious" alerts.From Table 15, the 16th internal attack host used the UDP protocol, and the darknet traffic was destined to many different ports, which the IDS alert was destined to port 62181.The packet size of darknet traffic has many different sizes of packets, while the packet size of the IDS alerts was 52,000 bytes.In addition, as described in Table 9, the anti-virus software could not detect any malware on the 16th internal attack host.This means that the 16th internal attack host was infected by unknown malware.

Conclusions
In this paper, we have presented the procedure of carrying out the in-depth analysis of IDS alerts and darknet traffic, such that it is able to identify and trace the root cause of the darknet traffic.Especially, we focus on the internal hosts that sent packets to the darknet and analyze IDS alerts related to the internal hosts.Furthermore, we have proposed a method to inspect the internal hosts using a dedicated anti-virus software, so that it is able to identify whether they are infected by some malware or not.The proposed procedure consists of seven main phases, as described in Section 3: collection, extraction, classification, comparison, correlation analysis, identification and tracing.
In our experiments, we used 16*/24 darknet IP addresses for collecting darknet traffic and a dedicated IDS for correlation analysis between them.In the experiments, we detected five internal attack hosts that raised one and more IDS alerts.In addition, we identified that two internal attack hosts were infected by 30 and 144 malwares using the anti-virus software.Furthermore, the anti-virus software could not detect any malwares on the other three internal attack hosts.This means that they were infected by unknown malwares.As a results, it can be concluded that the proposed method for in-depth analysis is very useful to detect internal attack hosts (i.e., potential attackers) in organizations and to find out malware (e.g., the name of known virus or worm, unknown malware, etc.) running or installed on them.
In the future work, we need to inspect the potential attacks, especially internal hosts infected by unknown malware, using more anti-virus software (e.g., Virustotal [28]) in order to identify them more precisely.

Figure 1 .
Figure 1.Procedure of the proposed analysis method.

Figure 2 .
Figure 2. Experimental environment for in-depth analysis.

Figure 3 .
Figure 3. Activities of the first internal host in IDS alerts.

Figure 4 .
Figure 4. Activities of the second internal host in IDS alerts.

Figure 5 .
Figure 5. Activities of the third internal host in IDS alerts.

Figure 6 .Table 5 .
Figure 6.Activities of the fifth internal host in IDS alerts.

Figure 7 .
Figure 7. Activities of the sixth internal host in IDS alerts.

Figure 8 .
Figure 8. Activities of the seventh internal host in IDS alerts.

Figure 9 .
Figure 9. Activities of the eight internal host in IDS alerts.

Figures 10 -
Figures 10-19 show the IDS alerts related to the five internal attack hosts (i.e., the 3rd, 9th, 11th, 12th and 19th) that sent packets to the darknet and also raised one and more IDS alerts, and the examples of the IDS alerts related to the five internal attack hosts.In Figures 10, 12, 14, 16 and 18, the horizontal axis means the time, and the orange square boxes indicate the detection time of packets observed on the darknet.

Figure 10 .
Figure 10.Activities of the third real attack host in IDS alerts.

Figure 11 .
Figure 11.Examples of IDS alerts related to the third real attack host.The Korean means 'attack information'.

Figure 12 .Figure 13 .
Figure 12.Activities of the ninth real attack host in IDS alerts.

Figure 14 .Figure 15 .
Figure 14.Activities of the 11th real attack host in IDS alerts.

Figure 16 .Figure 17 .
Figure 16.Activities of the 12th real attack host in IDS alerts.

Figure 18 .Figure 19 .
Figure 18.Activities of the 16th real attack host in IDS alerts.

Table 1 .
Overview of 8 internal hosts observed on the darknet.

Table 2 .
Summary of IDS alerts and darknet traffic related to the 1st internal host.

Table 3 .
Summary of IDS alerts and darknet traffic related to the 2nd internal host.

Table 4 .
Summary of IDS alerts and darknet traffic related to the 3rd internal host.

Table 6 .
Summary of IDS alerts and darknet traffic related to the 6th internal host.

Table 7 .
Summary of IDS alerts and darknet traffic related to the 7th internal host.

Table 8 .
Summary of IDS alerts and darknet traffic related to the 8th internal host.

Table 9 .
Overview of 17 internal hosts observed on the darknet.

Table 10 .
Overview of 5 internal attack hosts observed on the darknet.

Table 11 .
Summary of IDS alerts and darknet traffic related to the 3rd real attack host.

Table 12 .
Summary of IDS alerts and darknet traffic related to the 9th real attack host.

Table 13 .
Summary of IDS alerts and darknet traffic related to the 11th real attack host.

Table 14 .
Summary of IDS alerts and darknet traffic related to the 12th real attack host.

Table 15 .
Summary of IDS alerts and darknet traffic related to the 16th real attack host.