Understanding Traffic Patterns of Covid-19 IoC in Huge Academic Backbone Network SINET

Abstract

Recently, APT (Advanced Persistent Threats) groups are using the COVID-19 pandemic as part of their cyber operations. In response to cyber threat actors, IoCs (Indicators of Compromise) are being provided to help us take some countermeasures. In this paper, we analyse how the coronavirus-based cyber attack unfolded on the academic infrastructure network SINET (The Science Information Network) based on the passive measurement with IoC. SINET is Japan's academic information infrastructure network. To extract and analyze the traffic patterns of the COVID-19 attacker group, we implemented a data flow pipeline for handling huge session traffic data observed on SINET. The data flow pipeline provides three functions: (1) identification the direction of the traffic, (2) filtering the port numbers, and (3) generation of the time series data. From the output of our pipeline, it is clear that the attacker's traffic can be broken down into several patterns. To name a few, we have witnessed (1) huge burstiness (port 25: FTP and high port applications), (3) diurnal patterns (port 443: SSL), and (3) periodic patterns with low amplitude (port 25: SMTP) We can conclude that some unveiled patterns by our pipeline are informative to handling security operations of the academic backbone network. Particularly, we have found burstiness of high port and unknown applications with the number of session data ranging from 10,000 to 35,000. For understanding the traffic patterns on SINET, our data flow pipeline can utilize any IoC based on the list of IP address for traffic ingress/egress identification and port filtering.