Malware is increasingly becoming major threats that almost always finds a way to penetrate through a network, undermining the integrity, confidentiality and availability of data. Network forensics represent the utilization of scientifically proven strategies to identify, obtain, fuse, examine and analyze digital evidence of pre planned intent, or monitored success of malicious activities meant to corrupt, disrupt and/or compromise various systems, in addition to provision of info meant to aid in prevention and mitigation of such malicious activities.
Given the anonymous nature of the darknet, it is increasingly being used to distribute various forms of malware. Accordingly, monitoring internet traffic across various darknets to detect compromised machines and malicious activities requires a lot of computational resources. Monitoring darknet traffic involves capturing and monitoring of internet traffic communication destined to unused IP addresses. The darknet represents a portion of allocated, routed space across which no active servers, or services reside. Any packet entering a darknet is by default considered aberrant, due to the fact that no legitimate packet should be destined to a darknet. Such data packets may have been received by mistake, or due to faulty configurations; however, the greatest proportion of such forms of data packets are usually sent by malware.
A recently published study proposed a novel darknet traffic decomposition approach, known as UnitecDEAMP, which relies on flow feature profiling to specific sets of considerable malicious activities from background noise originating from major historical darknet traffic. Particularly, the researchers segmented and extracted internet traffic flows obtained from captured darknet data, classified the flows according to specific groups of criteria that were derived from the researcher’s traffic behavior assessments. These criteria were validated via the followed correlation analysis to make sure that any superfluous criteria are omitted. Important events were appraised via criteria filtering, particularly significance of volume, significance of variation and significance regarding time series occurrence. To showcase the effectiveness of the proposed UnitecDEAMP, real time darknet traffic data groups along a 12 months duration was used for carrying out the study. The results of experiments have proven that UnitecDEAMP can effectively pinpoint the most serious malicious events.
The study also took into consideration the significance of background noise. To evaluate the used approach, the researchers chose two IPv4 protocol datasets (ICMP and UDP). User Datagram Protocol (UDP) is one of the most utilized protocols for malicious activities on the darknet via the UDP flood technique which represents one of the commonly used malicious tools for DDoS attacks, due to the fact that the UDP protocol is more or less “connectionless” without any form of handshake session or mechanism as is the case with TCP. The main goal of a UDP flood is to saturate the bandwidth of a link. The target host will receive an enormous number of UDP packets that carry spoofed source IPs on various ports, and the system will check for applications that associate these datagrams and then reply back with a packet marked “Destination Unreachable” whenever the search fails. Even though the proportion of UDP darknet traffic may not be significant, the aftermaths of any successful UDP based malicious attack can be seriously damaging, as via utilization of the bandwidth of large capacity servers, malicious attackers can send more and more packets to overwhelm the target host with unwanted malicious traffic, to render it no more responsive to legitimate services.
Malicious activities on the darknet can also be associated with ICMP traffic. A recent study detected 31 PCs suspected to be compromised by malware and four were proven to be infected by various malwares, namely Coinficker which was associated with high darknet traffic along destination port 445, as well as Autoit malware which was associated with high ICMP darknet traffic. These findings prove that enormous amount of ICMP darknet traffic can generally denote infection by a virus.
ICMP echo requests are mainly used for network connection troubleshooting. Nowadays, most internet gateways block inbound echo requests to avoid Distributed Denial of Service (DDoS) attacks. Several malwares propagate via means of ICMP echo requests such as Nachi worm. Research has proven that every infected host generates a single ping probe for each unique IP sequence. This can be described as ping sweep, rather than a ping flood.