A Characterization of Cybersecurity Posture from Network Telescope Data

  • Zhenxin Zhan
  • Maochao Xu
  • Shouhuai XuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9473)


Data-driven understanding of cybersecurity posture is an important problem that has not been adequately explored. In this paper, we analyze some real data collected by CAIDA’s network telescope during the month of March 2013. We propose to formalize the concept of cybersecurity posture from the perspectives of three kinds of time series: the number of victims (i.e., telescope IP addresses that are attacked), the number of attackers that are observed by the telescope, and the number of attacks that are observed by the telescope. Characterizing cybersecurity posture therefore becomes investigating the phenomena and statistical properties exhibited by these time series, and explaining their cybersecurity meanings. For example, we propose the concept of sweep-time, and show that sweep-time should be modeled by stochastic process, rather than random variable. We report that the number of attackers (and attacks) from a certain country dominates the total number of attackers (and attacks) that are observed by the telescope. We also show that substantially smaller network telescopes might not be as useful as a large telescope.


Cybersecurity data analytics Cybersecurity posture Network telescope Network blackhole Darknet Cyber attack sweep-time Time series data 



We thank CAIDA for sharing with us the data analyzed in the paper. This work was supported in part by ARO Grant #W911NF-13-1-0141 and NSF Grant #1111925.

Supplementary material


  1. 1.
    Allman, M., Paxson, V., Terrell, J.: A brief history of scanning. In: Proceedings of ACM IMC 2007, pp. 77–82 (2007)Google Scholar
  2. 2.
    Armstrong, J.S.: Principles of Forecasting: A Handbook for Researchers and Practitioners, vol. 30. Springer, New York (2001)Google Scholar
  3. 3.
    Bailey, M., Cooke, E., Jahanian, F., Myrick, A., Sinha, S.: Practical darknet measurement. In: Proceedings of 2006 Annual Conference on Information Sciences and Systems, pp. 1496–1501 (2006)Google Scholar
  4. 4.
    Bailey, M., Cooke, E., Jahanian, F., Watson, D.: The blaster worm: then and now. IEEE Secur. Priv. 3(4), 26–31 (2005)CrossRefGoogle Scholar
  5. 5.
    Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The internet motion sensor-a distributed blackhole monitoring system. In: Proceedings of NDSS 2005 (2005)Google Scholar
  6. 6.
    Barford, P., Chen, Y., Goyal, A., Li, Z., Paxson, V., Yegneswaran, V.: Employing honeynets for network situational awareness. In: Jajodia, S., Liu, P., Swarup, V., Wang, C. (eds.) Cyber Situational Awareness. Advances in Information Security, vol. 46, pp. 71–102. Springer, New York (2010)CrossRefGoogle Scholar
  7. 7.
    Brownlee, N.: One-way traffic monitoring with iatmon. In: Proceedings of PAM 2012, pp. 179–188 (2012)Google Scholar
  8. 8.
    Claffy, K., Braun, H., Polyzos, G.: A parameterizable methodology for internet traffic flow profiling. IEEE J. Sel. Areas Commun. 13(8), 1481–1494 (1995)CrossRefGoogle Scholar
  9. 9.
    Clauset, A., Shalizi, C.R., Newman, M.E.J.: Power-law distributions in empirical data. SIAM Rev. 51(4), 661–703 (2009)zbMATHMathSciNetCrossRefGoogle Scholar
  10. 10.
    Cooke, E., Bailey, M., Mao, Z.M., Watson, D., Jahanian, F., McPherson, D.: Toward understanding distributed blackhole placement. In: Proceedings of ACM Worm 2004, pp. 54–64 (2004)Google Scholar
  11. 11.
    Cryer, J., Chan, K.: Time Series Analysis With Applications in R. Springer, New York (2008)zbMATHCrossRefGoogle Scholar
  12. 12.
    Dainotti, A., King, A., Claffy, K., Papale, F., Pescapè, A.: Analysis of a “/0” stealth scan from a botnet. In: Proceedings of ACM IMC 2012, pp. 1–14 (2012)Google Scholar
  13. 13.
    Engle, R.F.: Autoregressive conditional heteroscedasticity with estimates of the variance of united kingdom inflation. Econometrica: J. Econometric Soc. 50(4), 987–1007 (1982)zbMATHMathSciNetCrossRefGoogle Scholar
  14. 14.
    Giorgino, T.: Computing and visualizing dynamic time warping alignments in R: the dtw package. J. Stat. Softw. 31(7), 1–24 (2009)CrossRefGoogle Scholar
  15. 15.
    Glatz, E., Dimitropoulos, X.: Classifying internet one-way traffic. In: Proceedings of ACM IMC 2012, pp. 37–50 (2012)Google Scholar
  16. 16.
    Gringoli, F., Salgarelli, L., Dusi, M., Cascarano, N., Risso, F., Claffy, K.: Gt: picking up the truth from the ground for internet traffic. SIGCOMM Comput. Commun. Rev. 39(5), 12–18 (2009)CrossRefGoogle Scholar
  17. 17.
    Hussain, A., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: Proceedings of ACM SIGCOMM 2003, pp. 99–110 (2003)Google Scholar
  18. 18.
    Kreibich, C., Crowcroft, J.: Honeycomb: creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev. 34(1), 51–56 (2004)CrossRefGoogle Scholar
  19. 19.
    Lau, F., Rubin, S.H., Smith, M.H., Trajkovic, L.: Distributed denial of service attacks. In: Proceedings of 2000 IEEE International Conference on Systems, Man, and Cybernetics, vol. 3, pp. 2275–2280 (2000)Google Scholar
  20. 20.
    Lee, D.J., Brownlee, N.: Passive measurement of one-way and two-way flow lifetimes. SIGCOMM Comput. Commun. Rev. 37(3), 17–28 (2007)CrossRefGoogle Scholar
  21. 21.
    Li, Z., Goyal, A., Chen, Y., Paxson, V.: Towards situational awareness of large-scale botnet probing events. IEEE Trans. Inf. Forensics Secur. 6(1), 175–188 (2011)CrossRefGoogle Scholar
  22. 22.
    Li, Z., Goyal, A., Chen, Y., Kuzmanovic, A.: Measurement and diagnosis of address misconfigured p2p traffic. IEEE Netw. 25(3), 22–28 (2011)CrossRefGoogle Scholar
  23. 23.
    Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the slammer worm. IEEE Secur. Priv. 1(4), 33–39 (2003)CrossRefGoogle Scholar
  24. 24.
    Moore, D., Shannon, C., Brown, D., Voelker, G., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. 24(2), 115–139 (2006)CrossRefGoogle Scholar
  25. 25.
    Moore, D., Shannon, C., Brown, J.: Code-red: a case study on the spread and victims of an Internet worm. In: Proceedings of ACM IMW 2002, pp. 273–284 (2002)Google Scholar
  26. 26.
    Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Network telescopes, Technical report. Department of Computer Science and Engineering, University of California, San Diego (2004)Google Scholar
  27. 27.
    Neter, J., Kutner, M.H., Nachtsheim, C.J., Wasserman, W.: Applied linear statistical models, vol. 4. Irwin, Chicago (1996)Google Scholar
  28. 28.
    Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of internet background radiation. In: Proceedings of ACM IMC 2004, pp. 27–40 (2004)Google Scholar
  29. 29.
    Provos, N.: A virtual honeypot framework. In: Proceedings of USENIX Security Symposium, pp. 1–14 (2004)Google Scholar
  30. 30.
    Shannon, C., Moore, D.: The spread of the witty worm. IEEE Secur. Priv. 2(4), 46–50 (2004)CrossRefGoogle Scholar
  31. 31.
    CAIDA UCSD Network Telescope.
  32. 32.
  33. 33.
    Treurniet, J.: A network activity classification schema and its application to scan detection. IEEE/ACM Trans. Netw. 19(5), 1396–1404 (2011)CrossRefGoogle Scholar
  34. 34.
    Tsay, R.S.: Analysis of Financial Time Series. Wiley, New york (2010)zbMATHCrossRefGoogle Scholar
  35. 35.
    Weiler, N.: Honeypots for distributed denial-of-service attacks. In: Proceedings of IEEE Workshop on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET-ICE 2002), pp. 109–114 (2002)Google Scholar
  36. 36.
    Wustrow, E., Karir, M., Bailey, M., Jahanian, F., Huston, G.: Internet background radiation revisited. In: Proceedings of ACM IMC 2010, pp. 62–74 (2010)Google Scholar
  37. 37.
    Yegneswaran, V., Giffin, J., Barford, P., Jha, S.: An architecture for generating semantic aware signatures. In: Proceedings of Usenix Security Symposium (2005)Google Scholar
  38. 38.
    Yegneswaran, V., Barford, P., Plonka, D.: On the design and use of internet sinks for network abuse monitoring. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 146–165. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  39. 39.
    Yegneswaran, V., Barford, P., Ullrich, J.: Internet intrusions: global characteristics and prevalence. In: Proceedings of ACM SIGMETRICS 2003, pp. 138–147 (2003)Google Scholar
  40. 40.
    Zhan, Z., Xu, M., Xu, S.: Characterizing honeypot-captured cyber attacks: statistical framework and case study. IEEE Trans. Inf. Forensics Secur. 8(11), 1775–1789 (2013)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of Texas at San AntonioSan AntonioUSA
  2. 2.Department of MathematicsIllinois State UniversityNormalUSA

Personalised recommendations