Forensic Analysis for Epidemic Attacks in Federated Networks

Authors:
Yinglian Xie;Vyas Sekar;Michael Reiter;Hui Zhang
Affiliations:
Carnegie Mellon University, ylxie@cs.cmu.edu;Carnegie Mellon University, vyass@cs.cmu.edu;Carnegie Mellon University, reiter@cs.cmu.edu;Carnegie Mellon University, hzhang@cs.cmu.edu
Venue:
ICNP '06 Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols
Year:
2006

Citing 0
Cited 11

On the detection and origin identification of mobile worms

Proceedings of the 2007 ACM workshop on Recurring malcode
Online Accumulation: Reconstruction of Worm Propagation Path

NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
Exploiting dynamicity in graph-based traffic analysis: techniques and applications

Proceedings of the 5th international conference on Emerging networking experiments and technologies
Graph-based P2P traffic classification at the internet backbone

INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
Efficient querying and maintenance of network provenance at internet-scale

Proceedings of the 2010 ACM SIGMOD International Conference on Management of data
Graption: A graph-based P2P traffic classification framework for the internet backbone

Computer Networks: The International Journal of Computer and Telecommunications Networking
A collaborative event processing system for protection of critical infrastructures from cyber attacks

SAFECOMP'11 Proceedings of the 30th international conference on Computer safety, reliability, and security
Secure network provenance

SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Revisiting botnet models and their implications for takedown strategies

POST'12 Proceedings of the First international conference on Principles of Security and Trust
Declarative secure distributed information systems

Computer Languages, Systems and Structures
An event-based platform for collaborative threats detection and monitoring

Information Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

We present the design of a Network Forensic Alliance (NFA), to allow multiple administrative domains (ADs) to jointly locatethe origin of epidemic spreading attacks. ADs in the NFA collaborate in a distributed protocol for post-mortem analysis ofworm-like attacks. Information exchange between any two participating ADs is limited to traffic records that are known toboth sides, maintaining the privacy of participants. Such an architecture is incentive-compatible 驴 participants benefit bygaining better local investigative capabilities, even with partial deployment. Further, we show that by sharing local investigationresults, ADs can achieve global investigative capabilities that are comparable to a centralized implementation with accessto global traffic records. Our evaluation demonstrates that it is feasible for large-scale attack investigation to be incrementallydeployed in an Internet-like federation.