Empirically derived analytic models of wide-area TCP connections
IEEE/ACM Transactions on Networking (TON)
Web server workload characterization: the search for invariants
Proceedings of the 1996 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
ACM Transactions on Computer Systems (TOCS)
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
IEEE Security and Privacy
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Wide-area Internet traffic patterns and characteristics
IEEE Network: The Magazine of Global Internetworking
Profiling internet backbone traffic: behavior models and applications
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Scalability, fidelity, and containment in the potemkin virtual honeyfarm
Proceedings of the twentieth ACM symposium on Operating systems principles
Bottleneck detection in UMTS via TCP passive monitoring: a real case
CoNEXT '05 Proceedings of the 2005 ACM conference on Emerging network experiment and technology
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
The limits of global scanning worm detectors in the presence of background noise
Proceedings of the 2005 ACM workshop on Rapid malcode
The detection of RCS worm epidemics
Proceedings of the 2005 ACM workshop on Rapid malcode
PlanetLab: overview, history, and future directions
ACM SIGOPS Operating Systems Review
Countering Security Information Overload through Alert and Packet Visualization
IEEE Computer Graphics and Applications
Unwanted traffic in 3G networks
ACM SIGCOMM Computer Communication Review
ACM SIGCOMM Computer Communication Review
Resource-aware multi-format network security data storage
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
VLDB '06 Proceedings of the 32nd international conference on Very large data bases
Finding diversity in remote code injection exploits
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
binpac: a yacc for writing application protocol parsers
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Internet-scale malware mitigation: combining intelligence of the control and data plane
Proceedings of the 4th ACM workshop on Recurring malcode
Replayer: automatic protocol replay by binary analysis
Proceedings of the 13th ACM conference on Computer and communications security
Diagnosis of capacity bottlenecks via passive monitoring in 3G networks: An empirical analysis
Computer Networks: The International Journal of Computer and Telecommunications Networking
Anticipatory distributed packet filter configurations for carrier-grade IP networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
Data reduction for the scalable automated analysis of distributed darknet traffic
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Exploiting underlying structure for detailed reconstruction of an internet-scale event
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Collaborating against common enemies
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Reducing unwanted traffic in a backbone network
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
The spoofer project: inferring the extent of source address filtering on the internet
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Adaptive defense against various network attacks
SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
An architecture for generating semantics-aware signatures
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Mapping internet sensors with probe response attacks
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Vulnerabilities of passive internet threat monitors
SSYM'05 Proceedings of the 14th conference on USENIX Security Symposium - Volume 14
Identifying and tracking suspicious activities through IP gray space analysis
Proceedings of the 3rd annual ACM workshop on Mining network data
Challenging the anomaly detection paradigm: a provocative discussion
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Learning network structure from passive measurements
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Proceedings of the 14th ACM conference on Computer and communications security
HotBots'07 Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets
Dependable security: testing network intrusion detection systems
HotDep'07 Proceedings of the 3rd workshop on on Hot Topics in System Dependability
Deterministic and stochastic models for the detection of random constant scanning worms
ACM Transactions on Modeling and Computer Simulation (TOMACS)
Tracking port scanners on the IP backbone
Proceedings of the 2007 workshop on Large scale attack defense
Syntax vs. semantics: competing approaches to dynamic network intrusion detection
International Journal of Security and Networks
Gray's anatomy: dissecting scanning activities using IP gray space analysis
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
The heisenbot uncertainty problem: challenges in separating bots from chaff
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Ghost turns zombie: exploring the life cycle of web-based malware
LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
A case study in testing a network security algorithm
Proceedings of the 4th International Conference on Testbeds and research infrastructures for the development of networks & communities
Network discovery from passive measurements
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Existence Plots: A Low-Resolution Time Series for Port Behavior Analysis
VizSec '08 Proceedings of the 5th international workshop on Visualization for Computer Security
Privacy oracle: a system for finding application leaks with black box differential testing
Proceedings of the 15th ACM conference on Computer and communications security
Towards a taxonomy of network scanning techniques
Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology
Highly predictive blacklisting
SS'08 Proceedings of the 17th conference on Security symposium
An image processing approach to traffic anomaly detection
Proceedings of the 4th Asian Conference on Internet Engineering
Internet traffic behavior profiling for network security monitoring
IEEE/ACM Transactions on Networking (TON)
Efficient application identification and the temporal and spatial stability of classification schema
Computer Networks: The International Journal of Computer and Telecommunications Networking
Toward a Scalable Visualization System for Network Traffic Monitoring
IEICE - Transactions on Information and Systems
Automating analysis of large-scale botnet probing events
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Bunker: a privacy-oriented platform for network tracing
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Scan Surveillance in Internet Networks
NETWORKING '09 Proceedings of the 8th International IFIP-TC 6 Networking Conference
Proceedings of the ACM SIGKDD Workshop on CyberSecurity and Intelligence Informatics
An Attacker-Defender Game for Honeynets
COCOON '09 Proceedings of the 15th Annual International Conference on Computing and Combinatorics
An adaptive approach to granular real-time anomaly detection
EURASIP Journal on Advances in Signal Processing - Special issue on signal processing applications in network intrusion detection systems
Understanding the efficacy of deployed internet source address validation filtering
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
A visualization tool for exploring multi-scale network traffic anomalies
SPECTS'09 Proceedings of the 12th international conference on Symposium on Performance Evaluation of Computer & Telecommunication Systems
A Labeled Data Set for Flow-Based Intrusion Detection
IPOM '09 Proceedings of the 9th IEEE International Workshop on IP Operations and Management
The WOMBAT Attack Attribution Method: Some Results
ICISS '09 Proceedings of the 5th International Conference on Information Systems Security
An empirical study of malware evolution
COMSNETS'09 Proceedings of the First international conference on COMmunication Systems And NETworks
Review: A review of DoS attack models for 3G cellular networks from a system-design perspective
Computer Communications
Real-time behaviour profiling for network monitoring
International Journal of Internet Protocol Technology
A visualization framework for traffic data exploration and scan detection
NTMS'09 Proceedings of the 3rd international conference on New technologies, mobility and security
Lightweight opportunistic tunneling (LOT)
ESORICS'09 Proceedings of the 14th European conference on Research in computer security
Estimating routing symmetry on single links by passive flow measurements
Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
Predictive network anomaly detection and visualization
IEEE Transactions on Information Forensics and Security
Cuckoo bags for exploring multikey data
Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
Toward instrumenting network warfare competitions to generate labeled datasets
CSET'09 Proceedings of the 2nd conference on Cyber security experimentation and test
Internet background radiation revisited
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
On a multicriteria clustering approach for attack attribution
ACM SIGKDD Explorations Newsletter
Experience with high-speed automated application-identification for network-management
Proceedings of the 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems
Network intrusion detection with semantics-aware capability
IPDPS'06 Proceedings of the 20th international conference on Parallel and distributed processing
Idle port scanning and non-interference analysis of network protocol stacks using model checking
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Set-up and deployment of a high-interaction honeypot: experiment and lessons learned
Journal in Computer Virology
Characterizing Intelligence Gathering and Control on an Edge Network
ACM Transactions on Internet Technology (TOIT)
Honeynet games: a game theoretic approach to defending network monitors
Journal of Combinatorial Optimization
Analysis of country-wide internet outages caused by censorship
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
ACM SIGCOMM Computer Communication Review
COPS: quality of service vs. any service at all
IWQoS'05 Proceedings of the 13th international conference on Quality of Service
A network activity classification schema and its application to scan detection
IEEE/ACM Transactions on Networking (TON)
Traffic anomaly detection and characterization in the tunisian national university network
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Anticipatory distributed packet filter configuration for carrier-grade IP-Networks
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Interactive visualization for network and port scan detection
RAID'05 Proceedings of the 8th international conference on Recent Advances in Intrusion Detection
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
One-way traffic monitoring with iatmon
PAM'12 Proceedings of the 13th international conference on Passive and Active Measurement
LOT: A Defense Against IP Spoofing and Flooding Attacks
ACM Transactions on Information and System Security (TISSEC)
Networking Recon: Network reconnaissance
Network Security
Intrusion Detection: Towards scalable intrusion detection
Network Security
An orchestration approach for unwanted Internet traffic identification
Computer Networks: The International Journal of Computer and Telecommunications Networking
Tracking malicious hosts on a 10gbps backbone link
NordSec'10 Proceedings of the 15th Nordic conference on Information Security Technology for Applications
Classifying internet one-way traffic
Proceedings of the 2012 ACM conference on Internet measurement conference
Understanding IPv6 internet background radiation
Proceedings of the 2013 conference on Internet measurement conference
Towards a GPU accelerated virtual machine for massively parallel packet classification and filtering
Proceedings of the South African Institute for Computer Scientists and Information Technologists Conference
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
SEC'13 Proceedings of the 22nd USENIX conference on Security
Estimating internet address space usage through passive measurements
ACM SIGCOMM Computer Communication Review
Demystifying internet-wide service discovery
IEEE/ACM Transactions on Networking (TON)
Characterizing home network traffic: an inside view
Personal and Ubiquitous Computing
| Hi-index | 0.00 |
Monitoring any portion of the Internet address space reveals incessant activity. This holds even when monitoring traffic sent to unused addresses, which we term "background radiation. " Background radiation reflects fundamentally nonproductive traffic, either malicious (flooding backscatter, scans for vulnerabilities, worms) or benign (misconfigurations). While the general presence of background radiation is well known to the network operator community, its nature has yet to be broadly characterized. We develop such a characterization based on data collected from four unused networks in the Internet. Two key elements of our methodology are (i) the use of filtering to reduce load on the measurement system, and (ii) the use of active responders to elicit further activity from scanners in order to differentiate different types of background radiation. We break down the components of background radiation by protocol, application, and often specific exploit; analyze temporal patterns and correlated activity; and assess variations across different networks and over time. While we find a menagerie of activity, probes from worms and autorooters heavily dominate. We conclude with considerations of how to incorporate our characterizations into monitoring and detection activities.