The darknet represents an essential part of the internet whose monitoring can predict the current global trends of cyber crime and analyze the magnitude and techniques of various malicious online activities. Given the fact that darknet websites are not hosted on conventional internet servers, the incoming darknet data packets usually do not include a payload. Accordingly, it is almost impossible to extract malware via monitoring darknet traffic. This renders it hard for security professionals, e.g. engineers, academic researchers, operators…etc, to determine whether or not darknet website hosts are infected with malware.
A group of researchers from South Korea have just published a paper that included the hallmark of the procedure utilized for in-depth analysis between traffic on the darknet and IDS alerts using real-time data aggregated at the Science and Technology Cyber Security Center (S&T CSC) in South Korea. The paper aimed at providing insight, data from practical experiments and know-how to various security experts that can help them trace and identify the root cause of traffic on the darknet. The results of the experiments conducted proved that correlating analysis between IDS alerts and darknet traffic is very useful when it comes to pinpointing possible attack hosts, particularly internal hosts, and to discover what types of malware infected them.
The Procedure of Correlation & In-Depth Analysis:
The below figure illustrates the outline of the procedure of correlation and in-depth analysis method of IDS alerts that the researchers used for identification and tracking of potential attack hosts that send attack packets across the darknet. The procedure is comprised of seven main steps; collection, extraction, classification, comparison, correlation analysis, identification and tracing:
1- Collection: during the first step of the procedure, all incoming network traffic, destined to IP addresses that belong to the darknet, is captured.
2- Extraction: This step involves extracting all IP addresses associated with sending attack packets on the darknet. These IP addresses are marked as “potential attackers”.
3- Classification: This step involves grouping potential attackers under one of two categories; external and internal hosts. This classification means whether or not the attack hosts is located inside the network of the organization.
4- Comparison: The IDS alerts with source IP addresses that are similar to internal hosts are pinpointed via comparing all IDS alerts with internal hosts throughout a predefined time period (e.g. one week, one month…etc).
5- Correlation analysis: The IDS alerts extracted during the previous step is used in correlation analysis in that internal hosts’ activities are analyzed by using several parameters including port number, IP address, packet size, protocol, type of IDS alerts…etc.
6- Identification: Darknet traffic sent via internal hosts and the matching IDS alerts are thoroughly investigated by security professionals so that they can pinpoint internal attack hosts via analysis of their historical activities.
7- Tracing: Finally, internal attack hosts are examined using a special anti-virus program so that installed malware on these hosts can be identified.
Throughout the conducted experiment, the researchers used 16*/24 darknet IP addresses to capture darknet traffic along with a dedicated IDS server for performing correlation analysis among them. The experiments led to the discovery of five internal attack hosts that triggered more than a single IDS alert. Moreover, the researchers managed to identify that two of the discovered attack hosts were infected by 177 malware via means of the used anti-virus program. On the other hand, the anti-virus program failed to identify any malware on the other three internal attack hosts. As such, this means that these internal attack hosts were infected by unknown types of malware. Consequently, we can conclude that the proposed method for in-depth analysis is efficient in detection of internal attack hosts (i.e. potential attackers on the darknet) in a given organization and to find out infecting malware running on the attack hosts such as the name of a known trojan, virus or worm, or an unknown form of malware.
The researchers stated that they will continue on researching in this field. Their future work is expected to monitor potential attacks, particularly internal attack hosts which are infected by unknown forms of malware, using more than a single anti-virus program in order to accurately determine the malware.