The Markov-modulated Poisson process (MMPP) cookbook
Performance Evaluation
Extending the IP internet through address reuse
ACM SIGCOMM Computer Communication Review
On the self-similar nature of Ethernet traffic (extended version)
IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
IEEE/ACM Transactions on Networking (TON)
Proof of a fundamental result in self-similar traffic modeling
ACM SIGCOMM Computer Communication Review
Self-Similar Network Traffic and Performance Evaluation
Self-Similar Network Traffic and Performance Evaluation
A technique for counting natted hosts
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Information Theory, Inference & Learning Algorithms
Information Theory, Inference & Learning Algorithms
Collaborating against common enemies
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Usage-based dhcp lease time optimization
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Accountable internet protocol (aip)
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Census and survey of the visible internet
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Highly predictive blacklisting
SS'08 Proceedings of the 17th conference on Security symposium
De-anonymizing the internet using unreliable IDs
Proceedings of the ACM SIGCOMM 2009 conference on Data communication
On dominant characteristics of residential broadband internet traffic
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Power-Law Distributions in Empirical Data
SIAM Review
Understanding block-level address usage in the visible internet
Proceedings of the ACM SIGCOMM 2010 conference
Netalyzr: illuminating the edge network
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
NAT usage in residential broadband networks
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Formalizing Anonymous Blacklisting Systems
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Self-similar characteristics of network intrusion attempts and the implications for predictability
Concurrency and Computation: Practice & Experience
The great IPv4 land grab: resource certification for the IPv4 grey market
Proceedings of the 10th ACM Workshop on Hot Topics in Networks
Geolocating IP addresses in cellular data networks
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
A Pareto-modulated Poisson process (PMPP) model for long-range dependent traffic
Computer Communications
Intrusion as (anti)social communication: characterization and detection
Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining
| Hi-index | 0.00 |
An inherent feature of IP addresses is the aliasing that arises due to dynamic address allocation. This creates a significant barrier to the estimation of the malicious host population from a set of intrusion alerts. In this paper, we propose a method for estimating the number of malicious hosts that may have bound to an alerted address, based on the correlation of different data sets that were collected independently and a probabilistic model of host-to-address bindings. We analysed a two week trace of real-world intrusion alerts along with a global survey of ping responses, and inferred that over 80% of malicious addresses were bound to multiple hosts. Such aliasing effects highlight the inaccuracy of assuming static bindings between hosts and addresses when exact host identification is not possible due to privacy protection. However, our method demonstrates that reliable inferences can still be made when a sufficient overlap exists between the correlated data sets.