Entropy and information theory
Entropy and information theory
On power-law relationships of the Internet topology
Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Practical network support for IP traceback
Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication
Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications
On the marginal utility of network topology measurements
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Practical automated detection of stealthy portscans
Journal of Computer Security
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Alert Correlation in a Cooperative Intrusion Detection Framework
SP '02 Proceedings of the 2002 IEEE Symposium on Security and Privacy
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Bro: a system for detecting network intruders in real-time
SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Simulating realistic network worm traffic for worm warning system design and testing
Proceedings of the 2003 ACM workshop on Rapid malcode
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
Structural analysis of network traffic flows
Proceedings of the joint international conference on Measurement and modeling of computer systems
Security applications of peer-to-peer networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Characterization of network-wide anomalies in traffic flows
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Scalable visualization of propagating internet phenomena
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
What's new: finding significant differences in network data streams
IEEE/ACM Transactions on Networking (TON)
Inferring Internet denial-of-service activity
ACM Transactions on Computer Systems (TOCS)
An evaluation technique for network intrusion detection systems
InfoScale '06 Proceedings of the 1st international conference on Scalable information systems
Towards scalable and robust distributed intrusion alert fusion with good load balancing
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
A study of malware in peer-to-peer networks
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Mapping internet sensors with probe response attacks
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Adaptive real-time anomaly detection with incremental clustering
Information Security Tech. Report
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Large-scale collection and sanitization of network security data: risks and challenges
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Reversible sketches: enabling monitoring and analysis over high-speed data streams
IEEE/ACM Transactions on Networking (TON)
Information Assurance: Dependability and Security in Networked Systems
Information Assurance: Dependability and Security in Networked Systems
Tracking port scanners on the IP backbone
Proceedings of the 2007 workshop on Large scale attack defense
Network externalities and the deployment of security features and protocols in the internet
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Real-world polymorphic attack detection using network-level emulation
Proceedings of the 4th annual workshop on Cyber security and information intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead
Measurement and Analysis of Autonomous Spreading Malware in a University Environment
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Agent Methods for Network Intrusion Detection and Response
HoloMAS '07 Proceedings of the 3rd international conference on Industrial Applications of Holonic and Multi-Agent Systems: Holonic and Multi-Agent Systems for Manufacturing
A Hybrid Model for Immune Inspired Network Intrusion Detection
ICARIS '08 Proceedings of the 7th international conference on Artificial Immune Systems
Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Optimum Identification of Worm-Infected Hosts
IPOM '08 Proceedings of the 8th IEEE international workshop on IP Operations and Management
A TOOL FOR PROTOTYPING AIS BASED PROTECTION SYSTEMS FOR AD HOC AND SENSOR NETWORKS
Cybernetics and Systems
Towards a taxonomy of network scanning techniques
Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology
Highly predictive blacklisting
SS'08 Proceedings of the 17th conference on Security symposium
Internet traffic behavior profiling for network security monitoring
IEEE/ACM Transactions on Networking (TON)
Scan Surveillance in Internet Networks
NETWORKING '09 Proceedings of the 8th International IFIP-TC 6 Networking Conference
Honeybee-Based Model to Detect Intrusion
ISA '09 Proceedings of the 3rd International Conference and Workshops on Advances in Information Security and Assurance
On the detection of signaling DoS attacks on 3G/WiMax wireless networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics
An Error Propagation Algorithm for Ad Hoc Wireless Networks
ICARIS '09 Proceedings of the 8th International Conference on Artificial Immune Systems
An empirical study of malware evolution
COMSNETS'09 Proceedings of the First international conference on COMmunication Systems And NETworks
Real-time behaviour profiling for network monitoring
International Journal of Internet Protocol Technology
Emulation-based detection of non-self-contained polymorphic shellcode
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Investigating the impact of real-world factors on internet worm propagation
ICISS'07 Proceedings of the 3rd international conference on Information systems security
HiFIND: A high-speed flow-level intrusion detection approach with DoS resiliency
Computer Networks: The International Journal of Computer and Telecommunications Networking
Modeling worm propagation through hidden wireless connections
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
EMBER: a global perspective on extreme malicious behavior
Proceedings of the Seventh International Symposium on Visualization for Cyber Security
MitiBox: camouflage and deception for network scan mitigation
HotSec'09 Proceedings of the 4th USENIX conference on Hot topics in security
An empirical study of real-world polymorphic code injection attacks
LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Toward credible evaluation of anomaly-based intrusion-detection methods
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
On a multicriteria clustering approach for attack attribution
ACM SIGKDD Explorations Newsletter
Discovering collaborative cyber attack patterns using social network analysis
SBP'11 Proceedings of the 4th international conference on Social computing, behavioral-cultural modeling and prediction
Priming: making the reaction to intrusion or fault predictable
Natural Computing: an international journal
Characterizing Intelligence Gathering and Control on an Edge Network
ACM Transactions on Internet Technology (TOIT)
Honeynet games: a game theoretic approach to defending network monitors
Journal of Combinatorial Optimization
Detecting, validating and characterizing computer infections in the wild
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
Traffic anomaly detection and characterization in the tunisian national university network
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Towards software-based signature detection for intrusion prevention on the network card
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
ADWICE – anomaly detection with real-time incremental clustering
ICISC'04 Proceedings of the 7th international conference on Information Security and Cryptology
Port scan behavior diagnosis by clustering
ICICS'05 Proceedings of the 7th international conference on Information and Communications Security
Intrusion as (anti)social communication: characterization and detection
Proceedings of the 18th ACM SIGKDD international conference on Knowledge discovery and data mining
Classifying internet one-way traffic
Proceedings of the 2012 ACM conference on Internet measurement conference
Revisiting network scanning detection using sequential hypothesis testing
Security and Communication Networks
Internet atlas: a geographic database of the internet
Proceedings of the 5th ACM workshop on HotPlanet
Estimating the number of hosts corresponding to an intrusion alert while preserving privacy
Journal of Computer and System Sciences
| Hi-index | 0.00 |
Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf's law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual "IP telescopes"; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrusion detection framework that would identify and isolate intrusions with greater precision and robustness than systems with limited perspective.