Student Seminar Series:Yang Liu, Anatomy of Network-Level Malicious Activities: Connectedness and Inter-Dependence

Observations of malicious activities originated from different networks are often symptoms of their underlying security posture. The interconnectedness of today's Internet also means that what we see from one network is inevitably related to others. This connection can provide insight into the conditions of not just a single network viewed in isolation, but multiple networks viewed together. Such understanding in turn helps us predict more accurately malicious activities from networks. In this study we first set out to examine how to measure the {\em similarity} in the dynamic evolutions of malicious activities originated from different networks and more important we show how to use this similarity information to enhance prediction of future maliciousness compared with the case when networks are predicted as isolated. In particular, our results can enhance the temporal prediction of malicious activities of a network with known historical information. Inspired by the scenario that there could be hidden networks with no past malice record being revealed, we then investigate the relationship between such behavioral similarity and similarity in topological features. Specifically, we use statistical inference to evaluate the significance of a set of spatial features in explaining the observed behavioral similarity. In doing so we map relationships in a highly dynamic domain (malicious activities) to a relatively static one (spatial features). This also proves to be useful in predicting future behaviors and can also provide accurate prediction for a network with unknown historical information but whose spatial relationship with a few other networks is known.