On the detection and origin identification of mobile worms
Proceedings of the 2007 ACM workshop on Recurring malcode
Online Accumulation: Reconstruction of Worm Propagation Path
NPC '08 Proceedings of the IFIP International Conference on Network and Parallel Computing
Exploiting dynamicity in graph-based traffic analysis: techniques and applications
Proceedings of the 5th international conference on Emerging networking experiments and technologies
Graph-based P2P traffic classification at the internet backbone
INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
Efficient querying and maintenance of network provenance at internet-scale
Proceedings of the 2010 ACM SIGMOD International Conference on Management of data
Graption: A graph-based P2P traffic classification framework for the internet backbone
Computer Networks: The International Journal of Computer and Telecommunications Networking
SAFECOMP'11 Proceedings of the 30th international conference on Computer safety, reliability, and security
SOSP '11 Proceedings of the Twenty-Third ACM Symposium on Operating Systems Principles
Revisiting botnet models and their implications for takedown strategies
POST'12 Proceedings of the First international conference on Principles of Security and Trust
Declarative secure distributed information systems
Computer Languages, Systems and Structures
An event-based platform for collaborative threats detection and monitoring
Information Systems
Hi-index | 0.00 |
We present the design of a Network Forensic Alliance (NFA), to allow multiple administrative domains (ADs) to jointly locatethe origin of epidemic spreading attacks. ADs in the NFA collaborate in a distributed protocol for post-mortem analysis ofworm-like attacks. Information exchange between any two participating ADs is limited to traffic records that are known toboth sides, maintaining the privacy of participants. Such an architecture is incentive-compatible 驴 participants benefit bygaining better local investigative capabilities, even with partial deployment. Further, we show that by sharing local investigationresults, ADs can achieve global investigative capabilities that are comparable to a centralized implementation with accessto global traffic records. Our evaluation demonstrates that it is feasible for large-scale attack investigation to be incrementallydeployed in an Internet-like federation.