A significant if not the vast majority of computing devices are globally connected to one another via the Internet. While such interconnectedness has resulted in services and functionality almost unimaginable in the pre-Internet world, not all the effects of the Internet have been positive. A downside, for instance, to permitting a computing device to reach nearly any other device around the world is the computing device's susceptibility to unwittingly communicate with malicious devices in ways unimaginable decades ago.
As noted in the background, a large percentage of the world's computing devices can communicate with one another over the Internet, which while generally advantageous renders the computing devices susceptible to unwittingly communicating with malicious devices. For instance, a client computing device, such as a desktop, laptop, or notebook computer, or a smartphone or tablet computing device, may become infected with malware associated with a nefarious party. As a result of such infection, the client device may periodically attempt to contact a server computing device that is also associated with the nefarious party. Such periodic communication is referred to as beaconing.
As a result of such periodic communication from a client computing device the server computing device can learn that the client device has successfully been infected with malware, and the server device may subsequently be able to control the client device for nefarious purposes. For example, the server device may be able to access confidential information stored on the client device, or probe other client devices on the same or other networks for vulnerabilities to access their stored confidential information. As another example, the server device may instruct the client device to participate in a destructive activity, such as a distributed denial of service (DDOS) attack, against a different server computing device. The nefarious party may wait a long length of time upon its server device first receiving beacons from a compromised client device before leveraging the client device in these ways, so as not to raise suspicion that the client device has been compromised. Similarly, the beacons themselves may be hours or days apart so as not to raise suspicion of client device compromise.
Techniques described provide for beaconing identification. Network communication events of a network traffic log can be filtered to remove events that are likely unrelated to beaconing. Each event has a timestamp indicative of when the event occurred, and the source entity and/or destination entity of the event, among other information. The filtered events can be aggregated by unique source entity-destination entity pairs. Network communication event filtering and aggregation can be iteratively performed as desired.
Once the network communication events have been satisfactorily filtered and aggregated, the events for each unique source entity-destination entity pair are timestamp-sorted, and time differentials between adjacent events are calculated. A beacon likelihood metric can then be calculated for each unique pair from its calculated time differentials. Unique source entity-destination entity pairs that are indicative of beaconing are identified based on the calculated beacon likelihood metrics. Remedial actions may then be performed to resolve the potential compromises in security that may be associated with such beaconing.
The beaconing identification performed in accordance with the techniques described herein cannot be practically performed manually or performed mentally in one's mind, even when such identification occurs in an offline manner, let alone in an online manner. The number of and amount of data within the network communication events are substantially voluminous for even a relatively small network (i.e., a network having a relatively small number of devices), and can exponentially increase with larger networks such as a typical enterprise network. There is no practical way such amounts of information can be analyzed in accordance with the techniques described herein using just paper and pencil, for instance. It would take months if not longer to manually perform the techniques on an even limited set of data representing a small timeframe of network communication, rendering them ineffective to actually identify beaconing in such a way that the information could be actionably used.
Per
Referring first to
Each network communication event 204 may further include the protocol 308 in accordance with which the network communication was sent from the source entity 304 to the destination entity 306. The protocol 308 can be a network transport protocol, such as the transmission control protocol (TCP) and the user datagram protocol (UDP), which are both built on top of the Internet protocol. Each event 204 may also include the source network port 310 from which the network communication was sent at the source entity 304, and the destination network port 312 to which the communication was sent at the destination entity 306. From the network transport protocol 308 and the destination network port 312 in particular, another protocol 308 of the network communication event 204 may be determined, specifically an application layer protocol. Examples of application layer protocols include the network time protocol (NTP), the domain name system (DNS) protocol, the hypertext transport protocol (HTTP), and the file transport protocol (FTP), among other protocols.
Other information can also be collected in the network communication events 204 of the network traffic log 300. Such other information can include the number of bytes of an event 204, the number of packets within an event 204, the number of flows of the event 204, and any TCP flags within the event 204. As additional examples, the outcome of each event 204 may be logged, such as whether the communication was successful in terms of whether the source entity 304 received a reply from the destination entity 306 in response to the initial communication from the source entity 304 to the destination entity 306. If network communication events 204 of multiple network traffic logs 300 are being collected, each such log 300 may be identified within its events 204. Still other information that can be collected in the events 204 include username and other identifying information regarding the source entity 304 and/or destination entity 306, if known.
It is noted that network traffic logs 326 are collected in that information contained within the logs 326 are collected. The original network traffic logs 326 within which the events 204 are originally logged may be read by a software tool and delivered to a datastore such as a database that can then be queried for performing query detection, particularly in the case of offline beacon detection. In the case of online beacon detection, the events 204 may be collected before persistence to such a datastore.
A network traffic log 300 may be a unidirectional log or a bidirectional log. As shown in
In summarizing network communication events 204 in the case where the network traffic log 300 is a unidirectional log, it is not known for a given event 204 which of the source and destination entities 304 and 306 is the client computing device 102 at which beaconing was initiated, and which of the entities 304 and 306 is the server computing device 104 to which the beaconing is directed. Therefore, in one implementation, the events 204 may be processed to create a bidirectional summary for two or multiple events. For example, when two or more such unidirectional network communication events 204 regarding the same pair of entities are combined, the source entity 304 of the earliest such event 204 can be deemed as the client computing device 102 at which beaconing was initiated, and the destination entity 306 of this event 204 can be deemed the server computing device 104. Such a bidirectional summary may further be created by aggregating events 204 that occur more than a threshold length of time after the previous event 204 on the same connection.
In another implementation, as part of network communication event collection, a heuristic can be applied to the source and destination network ports 310 and 312 to identify one such network port 310 or 312 to retain within a given event 204 in order to identify the server device 104 as the beacon recipient. The other port 312 or 310 is accordingly discarded. In another implementation, however, both ports 310 and 312 may be retained.
One example heuristic is to simply always select the source network port 310 or the destination network port 312. Still another example heuristic is to select the smaller of the source and destination network ports 310 and 312 to retain. For instance, it may be expected that the network port at which the server computing device 104 receives beacons is a standard port that network communication regarding which will pass through a firewall behind which the client computing device 102 is located. Such standard ports generally have lower port numbers, such as less than 1024. In such instance, the network port at which the client computing device 102 sends network communication is likely to be a non-standard port, which generally has a larger port number. It is not uncommon for such port numbers to be four or five digits in length, for example. Therefore, retaining the smaller of the source and destination ports 310 and 312 is a heuristic by which to identify the server device 104 that is the beaconing recipient.
Another example heuristic is to select the non-ephemeral of the source and destination network ports 310 and 312 to retain. An ephemeral port is a short-lived port number used by the TCP, UDP, and other network transport protocols. Ephemeral ports are usually automatically allocated from a predefined range (e.g., user ports between 1024-49151, and dynamic and/or private ports between 49152 and 65535). For given beaconing from a client computing device 102 to a server computing device 104, the port from which the client device 102 sends network communication is likely to change, potentially on a per-communication basis, whereas the port at which the server device 102 receives network communication is likely to remain constant. Therefore, retaining the non-ephemeral port of the source and destination ports 310 and 312 is a heuristic by which to start searching for beaconing activity, with the server device 104 as the recipient.
By comparison, as shown in
Referring back to
For example, a given protocol 308 of a network communication event 204 may be known to not relate to beaconing. A client computing device 102 may periodically send events 204 in the NTP, for instance, to synchronize its internal time clock with a network time server, such as an Internet time server. Because such events 204 are legitimate traffic, they can be removed during filtering. Similarly, the client device 102 may periodically send events 204 in the DNS protocol for legitimate purposes, but which can resemble beaconing, and therefore such events 204 may also be removed during filtering.
In one implementation, if events 204 each specify their number of bytes, events 204 having a legitimate protocol 308 may be removed just if they have a number of bytes within a range indicative of legitimate traffic network. That is, events 204 having a legitimate protocol 308 that have a number of bytes outside of the typical range for traffic according to this protocol 308 may be beacons masquerading as such traffic. Similarly, events 204 that otherwise have a legitimate protocol 308 may be discarded just if they are directed to a known destination entity 306.
Network communication events 204 for which the destination entity 306 is known to not relate to beaconing may similarly be removed during filtering. Such events 204 may occur in a manner that otherwise resembles beaconing. However, if the destination entity 306 is known to be a trusted entity and not be operated by a nefarious party, then such events 204 do not have to be considered further and therefore can be removed. As another example, network traffic between unknown entities 306 and 308 may be examined more often than traffic between known entities 306 and 308. Latter such network traffic may still be examined to identify any new or unexpected beacons, for instance.
Filtering can also be performed on the relatedness or affiliation between the source entity 304 and the destination entity 306. For example, if both entities 304 and 306 of an event 204 are part of the same local network, then such events 204 may be removed or examined less frequently than events 204 for which the source entity 304 is part of the local network and the destination entity 306 is not. As another example, events 204 for which the source entity 304 is outside the local network and the destination entity 306 is inside the local network may be removed or examined less frequently than events 204 for which the source entity 304 is inside the local network and the destination entity 306 is outside the local entity.
Network communication events 204 can also be filtered based on the source network port 310 or the destination network port 312 retained during collection of the events 204, such as has been described in relation to usage of such port 310 or 312 along with the network transport protocol 306 to identify the application layer protocol 308. The network communication events 204 may be filtered in other ways as well. Each event 204 for which the source and destination entities 304 and 306 do not appear in a minimum number of other events 204 may be removed, so that infrequent communication from a given source entity 304 to a given destination entity 306 is not considered. Each event 204 for which the source and destination entities 304 and 306 appear in more than a maximum number of other events 204 may also be removed, so that such events 204 do not by their very number obfuscate detection of beaconing occurring in a smaller number of other events 204. Most generally, filtering can be performed on the basis of any information within the events 204, such as a selected time range, a selected set of entities 304 and/or 306, and so on.
Each network communication event 204 for which the source and destination entities 304 and 306 do not appear in a minimum number of other events 204 during a specified time window may similarly be removed. Likewise, each event 204 for which the source and destination entities 304 and 306 appear in more than a maximum number of other events 204 during a specified time window may be removed. Such event removal in consideration of the time windows in which the events 204 occur is therefore similar to the filtering described in the previous paragraph, but occurs at a more granular level (i.e., per time window).
Network communication events 204 having the same source entity 304 and the same destination entity 306 for which the average or median time period is less than a minimum time period or greater than a maximum time period may be removed. (Note that such filtering may be performed after time differentials 216 are calculated, as described later, in which case the filtering is actually performed afterwards, since the time differentials 216 are the time periods in question.) Such filtering in effect provides for a way by which to consider just events 204 of interest for possible beaconing. Similarly, events 204 having the same source and destination entities 304 and 306 for which the standard deviation in time period is less than a minimum standard of deviation or greater than a maximum standard of deviation may be removed during filtering.
Network communication events 204 having the same source entity 304 and the same destination entity 306 for which a coefficient of variation in time period is greater than a maximum coefficient of variation or less than a minimum coefficient of variation may be removed. The coefficient of variation in this respect is the standard deviation in time period divided by the mean time period. Such filtering also effectively provides for a way by which to consider just events 204 of interest for possible beaconing.
Network communication events 204 having the same source entity 304 and the same destination entity 306 for which a mean of absolute deviations in time period is greater than a maximum mean of absolute deviations or less than a minimum mean of absolute deviations may similarly be removed during filtering. The mean of absolute deviations in this respect is
where Nij is the number of events 204 having a given source entity i and a given destination entity j, perijk is a given event k having the source entity i and the destination entity j, and mean(perij) is the mean, or average, of all such events perij. Such filtering is another way by which to consider just events 204 of interest for possible beaconing.
Network communication events 204 having the same source entity 304 and the same destination entity 306 for which a coverage or duration in event activity is greater than a maximum coverage or duration or less than a minimum coverage or duration may also be removed during filtering. The coverage of such events 204 in this respect may be the average time period of these events 204, multiplied by their number minus one. The duration of such events 204 may be the largest (i.e., most recent) timestamp 314 of any such event 204, minus the smallest (e.g., earliest) timestamp 314 of any such event 204. Such filtering is an additional way by which to consider just events 204 of interest for possible beaconing.
The network communication events 204 may also be filtered based on their spectral time periods. That is, the spectral time period of each set of events 204 having the same source entity 304 and the same destination entity 306 may be determined in the frequency domain, such as via a fast Fourier transform or a discrete Fourier transform. The spectral time period for events 204 with specific source and destination entities 304 and 306 may also be manually provided. Any events 204 having a given source entity 304 and a given destination entity 306 that have time periods greater than the spectral time period for all the events 204 having these source and destination entities 304 and 306 may then be removed.
Referring back to
Referring back to
Referring next to
Referring back to
Referring back to
In one implementation, the beacon likelihood metric 220 for a source entity-destination entity pair 502 may be calculated as a modified normalized mean of absolute deviations of the calculated time differentials 216 for that pair 502. Specifically, the modified normalized mean of absolute deviations may be calculated by dividing the sum of the absolute difference between each calculated time differential 216 and the median of the calculated time differentials 216 by a product of the number of the timestamp-sorted and filtered network communication events 210′ for the pair 502 and the median of the calculated time differentials 216. Mathematically, this beacon likelihood metric 220 can be expressed as
In this expression, Nij is the number of events 210′ having a given source entity i and a given destination entity j, diffijk is a given time differential k between adjacent events 210′ having the source entity i and the destination entity j, and median(diffij) is the median of all such time differentials diffij.
This particular beacon likelihood metric 220 is normalized in that it is divided by the number of events 210′ having a given source entity i and a given destination entity j, Nij. The metric 220 is a mean of absolute deviations in that the sum of the absolute deviations, Σ|diffijk−median(diffij)|, is averaged as a result of division by the median, median(diffij). The metric 220 can be considered robust in that it uses median instead of mean in this respect (since median is more robust than mean because it changes less if outliers are present), and further does not use squares of differences as is the case with standard deviation.
Based on the calculated beacon likelihood metrics 220 for the unique source entity-destination entity pairs 502, those unique source-destination entity pairs 224 that are indicative of beaconing are identified (226). That is, each unique pair 224 of a source entity 304 and a destination entity 306 is one of the unique pairs 502. For example, a specified number of the unique pairs 502 having the lowest beacon likelihood metrics 220 may be identified as the unique pairs 224 that are indicative of beaconing. As another example, each unique pair 502 having a beacon likelihood metric 220 lower than a threshold may be identified as a unique pair 224 that is indicative of beaconing. A pair 224 is indicative of beaconing in that the logged communication between the source entity 304 and the destination entity 306 of the pair 224 is indicative of beaconing. That is, the communication between the source entity 304 and the destination entity 306 of each such pair 224 is likely to be or reflect beaconing activity.
An action may then be performed (228) in relation to the identified unique source entity-destination entity pairs 224 that are indicative of beaconing. For example, the identified pairs 224 may be displayed to a user, who can assess what further action should be taken. As another example, a remedial action may be performed to protect the network 106 from potential security compromise that may result from or otherwise related to such indicated beaconing. For example, the network 106 may be reconfigured to prevent network traffic to the destination entity 306 of each identified pair 224. As another example, the source entities 304 of the identified pairs 224 may be removed from the network 106 and inspected to identify the malware or other issue resulting in their beaconing to respective destination entities 306.
In one implementation, the process 200 that has been described can be iteratively performed in relation to aggregated groups of events 204. For example, events 204 between the same unique source entity-destination entity pairs 224 may be aggregated in windows of a specified time period, and the time intervals between such aggregated groups of events 204 considered. Such an implementation is suitable for situations in which a source entity 304 and a destination entity 306 communicate in bursts of connections, where the connections themselves are periodic.
The processing includes aggregating the filtered network communication events by unique source entity-destination entity pairs (806). The processing includes, for each unique source entity-destination entity pair, timestamp-sorting the filtered network communication events, calculating time differentials between the timestamps of adjacent timestamp-sorted and filtered network communication events, and calculating a beacon likelihood metric from the calculated time differentials (808). The processing includes identifying which of the unique source entity-destination entity pairs are indicative of beaconing based on the beacon likelihood metric calculated for each unique source entity-destination entity pair (810).
The processing includes, for each unique source entity-destination entity pair, timestamp-sorting the filtered network communication events, calculating time differentials between the timestamps of adjacent timestamp-sorted and filtered network communication events, and calculating a modified normalized mean of absolute deviations of the calculated time differentials as a beacon likelihood metric (910). The processing includes identify which of the unique source entity-destination entity pairs are indicative of beaconing based on the beacon likelihood metric calculated for each unique source entity-destination entity pair (912). The processing includes performing a remedial action in relation to the unique source entity-destination entity pairs that have been identified as indicative of beaconing (914).
As has been noted, beaconing identification can occur offline or online. As an offline process, network traffic logs of network communication events can be collected, filtered, and aggregated for beaconing identification well after the events have occurred, where such offline processing may not occur directly on the logs, as noted above. Such an offline process is well suited for interactivity, in which a user can manually participate in the iterative filtering and aggregation of the network communication events. By comparison, online beaconing identification is suitable for situations in which more immediate, and automated, beaconing identification is desired. The beaconing identification process 200 of
During the current time window 1002, therefore, network communication events 1004 are collected and filtered (1006). At the completion of the current time window 1002, the filtered network communication events 1004 are aggregated (1010) by unique source entity-destination entity pairs to yield network communication events 1008 for each unique source entity-destination entity pair that occurred during the current time window 1002. At this time, a new time window begins, and therefore the process 1000 is concurrently repeated (1012) for this next time window with the collection and filtering of network communication events 1004 during this time window (1006).
The network communication events 1008 for each unique source entity-destination entity pair that occurred during the current time window 1002 are timestamp-sorted (1014) to yield timestamp-sorted network communication events 1008′ for each unique pair. It is noted that timestamp-sorting can also be performed as part of aggregation, and not separately, to reduce processing overhead. For each unique source entity-destination entity pair, time differentials 1016 between adjacent network communication events that occurred during the current time window 1002 are then calculated (1018). The time differentials 1016 are thus calculated on a per-time window basis, upon completion of the current time window 1002, for each unique pair.
A beacon likelihood metric 1020 for each unique source entity-destination entity pair, by comparison, is calculated (1022) from the time differentials 1016 for the current time window 1002 as well as from the time differentials 1024 for a specified number of previous time windows 1026. For example, the beacon likelihood metrics 1020 may be calculated for the unique pairs from the time differentials 1016 for the current time window 1002 and the time differentials 1024 for a specified number of the immediately preceding time windows 1026. Therefore, whereas the time differentials 1016 and 1024 are calculated on a per-time window basis, the beacon likelihood metrics 1020 are calculated across time windows, including the current time window 1002 that just completed and a specified number of previous time windows 1026.
The unique source entity-destination entity pairs 1028 indicative of beaconing can then be identified (1030) on the basis of the beacon likelihood metrics 1020 that have been calculated, with a remedial or other action performed (1032) in relation to the identified unique pairs that are indicative of beaconing. In the process 1000, the unique source entity-destination entity pairs 1028 are thus identified each time the current time window 1002 has completed. Such identification is therefore effectively updated as additional network communication events 1004 are collected and filtered, because the identification relies on the time differentials 1016 and 1024 calculated for the current time window 1002 that has just completed and for a specified number of preceding time windows 1026.
The method 1100 includes, for each unique source entity-destination entity pair, timestamp-sorting the filtered network communication events that occurred during the current time window, and calculating time differentials between the timestamps of adjacent timestamp-sorted and filtered network communication events that occurred during the current time window (1106). The method 1100 includes, for each unique source entity-destination entity pair, calculating a beacon likelihood metric from the calculated time differentials for the current time window and from previously calculated time differentials for a number of prior time windows (1108). The method 1100 includes identifying which of the unique source entity-destination pairs are indicative of beaconing based on the beacon likelihood metric calculated for each unique source entity-destination entity pair (1110).
Techniques have been described for identifying beaconing that is indicative of potential security compromises. The techniques provide for iterative filtering and aggregation of network communication events so that the events of interest are considered for potential beaconing activity. The techniques employ a beacon likelihood metric, such as a modified normalized mean of absolute deviations, calculated from time differentials between adjacent events for each unique source entity-destination entity pair. The described techniques have been shown to accurately identify beaconing, permitting potential security compromises to be addressed.
Number | Name | Date | Kind |
---|---|---|---|
8578493 | Cowan | Nov 2013 | B1 |
10264007 | Fehrman | Apr 2019 | B2 |
10671708 | Reed et al. | Jun 2020 | B2 |
20100023867 | Coldiron | Jan 2010 | A1 |
20180083985 | Ahuja et al. | Mar 2018 | A1 |
20200228924 | Lelkens | Jul 2020 | A1 |
20200304529 | Fehrman | Sep 2020 | A1 |
20210194907 | Bertiger | Jun 2021 | A1 |
20210320945 | Black | Oct 2021 | A1 |
Entry |
---|
Kim, Seong Soo, “Real-Time Analysis of Aggregate Network Traffic for Anomaly Detection”, May 2005, <http://cesg.tamu.edu/wp-content/uploads/2012/02/TAMU-ECE-2005-02.pdf>. |
Wheelus et al., “A Session Based Approach For Aggregating Network Tiafflc Data—The SANTA Dataset” 2014. <https://www.researchgate.net/publication/283018805_A_Session_Based_Approach_for_Aggregating_Network_Traffic_Data--_The_SANTA_Dataset >. |
Ramos Regis Barbosa et al., “Toward Periodicity Based Anomaly Detection in SCADA Networks”, Design and Analysis of Communications Systems (DACS) University of Twente Enschede, The Netherlands, 2012 https://ieeexplore.ieee.org/document/6489745. |