Data reduction for the scalable automated analysis of distributed darknet traffic

Authors:
Michael Bailey;Evan Cooke;Farnam Jahanian;Niels Provos;Karl Rosaen;David Watson
Affiliations:
University of Michigan;University of Michigan;University of Michigan, Arbor Networks, Inc.;Google, Inc.;University of Michigan;University of Michigan
Venue:
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Year:
2005

Citing 18
Cited 11

An extensible probe architecture for network protocol performance measurement

Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
A statistical approach to predictive detection

Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue on selected topics in network and systems management
Honeypots: Tracking Hackers

Honeypots: Tracking Hackers
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Adaptive Thresholding for Proactive Network Problem Detection

SMW '98 Proceedings of the IEEE Third International Workshop on Systems Management
A Sense of Self for Unix Processes

SP '96 Proceedings of the 1996 IEEE Symposium on Security and Privacy
Inside the Slammer Worm

IEEE Security and Privacy
Backtracking intrusions

SOSP '03 Proceedings of the nineteenth ACM symposium on Operating systems principles
The Spread of the Witty Worm

IEEE Security and Privacy
Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Toward understanding distributed blackhole placement

Proceedings of the 2004 ACM workshop on Rapid malcode
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
The Blaster Worm: Then and Now

IEEE Security and Privacy
Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Proceedings of the twentieth ACM symposium on Operating systems principles
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A virtual honeypot framework

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Collapsar: a VM-based architecture for network attack detention center

SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13

Scalability, fidelity, and containment in the potemkin virtual honeyfarm

Proceedings of the twentieth ACM symposium on Operating systems principles
Modifying first person shooter games to perform real time network monitoring and control tasks

NetGames '06 Proceedings of 5th ACM SIGCOMM workshop on Network and system support for games
Wide-scale data stream management

ATC'08 USENIX 2008 Annual Technical Conference on Annual Technical Conference
Finding Corrupted Computers Using Imperfect Intrusion Prevention System Event Data

SAFECOMP '08 Proceedings of the 27th international conference on Computer Safety, Reliability, and Security
Outsourcing home network security

Proceedings of the 2010 ACM SIGCOMM workshop on Home networks
Internet background radiation revisited

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
BotGrep: finding P2P bots with structured graph analysis

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Extracting benefit from harm: using malware pollution to analyze the impact of political and geophysical events on the internet

ACM SIGCOMM Computer Communication Review
Behavior analysis of long-term cyber attacks in the darknet

ICONIP'12 Proceedings of the 19th international conference on Neural Information Processing - Volume Part V
Understanding IPv6 internet background radiation

Proceedings of the 2013 conference on Internet measurement conference
A scalable network forensics mechanism for stealthy self-propagating attacks

Computer Communications

Quantified Score

Hi-index	0.00

Visualization

Abstract

Threats to the privacy of users and to the availability of Internet infrastructure are evolving at a tremendous rate. To characterize these emerging threats, researchers must effectively balance monitoring the large number of hosts needed to quickly build confidence in new attacks, while still preserving the detail required to differentiate these attacks. One class of techniques that attempts to achieve this balance involves hybrid systems that combine the scalable monitoring of unused address blocks (or darknets) with forensic honeypots (or honeyfarms). In this paper we examine the properties of individual and distributed darknets to determine the effectiveness of building scalable hybrid systems. We show that individual darknets are dominated by a small number of sources repeating the same actions. This enables source-based techniques to be effective at reducing the number of connections to be evaluated by over 90%. We demonstrate that the dominance of locally targeted attack behavior and the limited life of random scanning hosts result in few of these sources being repeated across darknets. To achieve reductions beyond source-based approaches, we look to source-distribution based methods and expand them to include notions of local and global behavior. We show that this approach is effective at reducing the number of events by deploying it in 30 production networks during early 2005. Each of the identified events during this period represented a major globally-scoped attack including the WINS vulnerability scanning, Veritas Backup Agent vulnerability scanning, and the MySQL Worm.