Tracking malicious hosts on a 10gbps backbone link

Authors:
Magnus Almgren;Wolfgang John
Affiliations:
Computer Science and Engineering, Chalmers University of Technology, Sweden;Computer Science and Engineering, Chalmers University of Technology, Sweden
Venue:
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Year:
2010

Citing 8
Cited 1

Using Active Learning in Intrusion Detection

CSFW '04 Proceedings of the 17th IEEE workshop on Computer Security Foundations
Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Prefix-preserving IP address anonymization: measurement-based security evaluation and a new cryptography-based scheme

Computer Networks: The International Journal of Computer and Telecommunications Networking
The CoralReef Software Suite as a Tool for System and Network Administrators

LISA '01 Proceedings of the 15th USENIX conference on System administration
Passive measurement of one-way and two-way flow lifetimes

ACM SIGCOMM Computer Communication Review
A brief history of scanning

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems

RAID '09 Proceedings of the 12th International Symposium on Recent Advances in Intrusion Detection
Trends and differences in connection-behavior within classes of internet backbone traffic

PAM'08 Proceedings of the 9th international conference on Passive and active network measurement

On collection of large-scale multi-purpose datasets on internet backbone links

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security

Quantified Score

Hi-index	0.00

Visualization

Abstract

We use anonymized flow data collected from a 10Gbps backbone link to discover and analyze malicious flow patterns. Even though such data may be rather difficult to interpret, we show how to bootstrap our analysis with a set of malicious hosts to discover more obscure patterns. Our analysis spans from simple attribute aggregates (such as top IP and port numbers) to advanced temporal analysis of communication patterns between normal and malicious hosts. For example, we found some complex communication patterns that possibly lasted for over a week. Furthermore, several malicious hosts were active over the whole data collection period, despite being blacklisted. We also discuss the problems of working with anonymized data. Given that this type of privacy-sensitive backbone data would not be available for analysis without proper anonymization, we show that it can still offer many novel insights, valuable for both network researchers and practitioners.