IBR and Acknowledged Scanners -- Dissecting Undirected Traffic
Michael Collins, ICSI
1-2pm 25th Sep 2023
Abstract
Internet Background Radiation (IBR) is a catch-all term for the
undirected traffic that affects every host on the Internet; this
comprises backscatter, misconfiguration and a large amount of
scanning. ISI collects IBR from multiple darkspaces, contiguous
blocks of IPv4 space which are routable, but have no hosts. All
traffic to a darkspace is suspicious.
The ultimate goal of this work is to see whether we can quickly
identify changes in scanner interest. We know, at a gross level, that
scanner interest does change. As an example of this change, ssh was
the most commonly scanned port for well over a decade, but in the last
few years there has been a rise in telnet scanning associated with IoT
botnets. Quickly catching these trends requires identifying and
differentiating the different behaviors and populations in IBR data.
In this talk I will discuss the collection and composition of Internet
Background Radiation (IBR). In our work, ISI has identified a number
of different behaviors within IBR, most notably a distinction between
what we term "acknowledged" scanners and hostile
scanners. Acknowledged scanners are network scanners who publicize
their presence -- these includes threat intelligence companies,
nonprofits and universities. Acknowledged scanners behave very
differently from hostile scanners -- they scan a broader range of
ports, scan more regularly, and miss out on particular ports that are
of interest to hostile scanners. I will discuss the process of
identifying and differentiating scanning populations, challenges to
the validity of scan data, and how we intend to use this information
for trending.
Short Bio
Dr. Michael Collins is a Senior Computer Scientist and Research Lead
at University of Southern California's Information Sciences Institute
(USC-ISI). His primary research focuses are security operations and
response, network security experimentation, and domain-specific
security. Dr. Collins received his undergraduate and graduate degrees
from Carnegie Mellon University in Pittsburgh, PA.
Dr. Collins is security researcher with two decades of experience
beginning at the CERT at Carnegie Mellon University. While there,
Dr. Collins developed the SiLK tool suite, a high-speed NetFlow
analysis capability which served as the backbone of the DoD CENTAUR
and DHS EINSTEIN-1 capabilities. Following his work at the CERT,
Dr. Collins was Chief Scientist at RedJack, where he worked closely
with multiple Security Operations Centers on analytics and
instrumentation. A practitioner who focuses on bridging the gap
between academic security and operations, he has led research on
insider threat, game-theoretic security, moving target defense and
software defined networking, as well as leading multiple
investigations, and being called as an expert witness. He is the
author of the O'Reilly book "Network Security Through Data Analysis",
multiple scientific papers and multiple patents.