Open Access
Understanding Traffic Patterns of Covid-19 IoC in Huge Academic Backbone Network SINET
Author(s) -
Ruo Ando,
Youki Kadobayashi,
Hiroki Takakura,
Hiroshi Itoh
Publication year - 2021
Publication title -
international journal of network security and its applications/international journal of network security and applications
Language(s) - English
Resource type - Journals
eISSN - 0975-2307
pISSN - 0974-9330
DOI - 10.5121/ijnsa.2021.13603
Subject(s) - botnet , port (circuit theory) , computer science , burstiness , pipeline (software) , session (web analytics) , identification (biology) , backbone network , computer security , computer network , engineering , network packet , the internet , botany , electrical engineering , world wide web , biology , programming language
Recently, APT (Advanced Persistent Threats) groups are using the COVID-19 pandemic as part of their cyber operations. In response to cyber threat actors, IoCs (Indicators of Compromise) are being provided to help us take some countermeasures. In this paper, we analyse how the coronavirus-based cyber attack unfolded on the academic infrastructure network SINET (The Science Information Network) based on the passive measurement with IoC. SINET is Japan's academic information infrastructure network. To extract and analyze the traffic patterns of the COVID-19 attacker group, we implemented a data flow pipeline for handling huge session traffic data observed on SINET. The data flow pipeline provides three functions: (1) identification the direction of the traffic, (2) filtering the port numbers, and (3) generation of the time series data. From the output of our pipeline, it is clear that the attacker's traffic can be broken down into several patterns. To name a few, we have witnessed (1) huge burstiness (port 25: FTP and high port applications), (3) diurnal patterns (port 443: SSL), and (3) periodic patterns with low amplitude (port 25: SMTP) We can conclude that some unveiled patterns by our pipeline are informative to handling security operations of the academic backbone network. Particularly, we have found burstiness of high port and unknown applications with the number of session data ranging from 10,000 to 35,000. For understanding the traffic patterns on SINET, our data flow pipeline can utilize any IoC based on the list of IP address for traffic ingress/egress identification and port filtering.