A note on the confinement problem
Communications of the ACM
Space/time trade-offs in hash coding with allowable errors
Communications of the ACM
Code-Red: a case study on the spread and victims of an internet worm
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
ICNP '02 Proceedings of the 10th IEEE International Conference on Network Protocols
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Internet intrusions: global characteristics and prevalence
SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A high-level programming environment for packet trace anonymization and transformation
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE Security and Privacy
Monitoring and early warning for internet worms
Proceedings of the 10th ACM conference on Computer and communications security
Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
Privacy-preserving sharing and correction of security alerts
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
Autograph: toward automated, distributed worm signature detection
SSYM'04 Proceedings of the 13th conference on USENIX Security Symposium - Volume 13
CAPTCHA: using hard AI problems for security
EUROCRYPT'03 Proceedings of the 22nd international conference on Theory and applications of cryptographic techniques
A privacy-preserving interdomain audit framework
Proceedings of the 5th ACM workshop on Privacy in electronic society
Privacy-Enabled Global Threat Monitoring
IEEE Security and Privacy
Identifying and tracking suspicious activities through IP gray space analysis
Proceedings of the 3rd annual ACM workshop on Mining network data
Large-scale collection and sanitization of network security data: risks and challenges
NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Honey@home: a new approach to large-scale threat monitoring
Proceedings of the 2007 ACM workshop on Recurring malcode
On the detection and origin identification of mobile worms
Proceedings of the 2007 ACM workshop on Recurring malcode
Security against probe-response attacks in collaborative intrusion detection
Proceedings of the 2007 workshop on Large scale attack defense
Characterizing Dark DNS Behavior
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Shining Light in Dark Places: Understanding the Tor Network
PETS '08 Proceedings of the 8th international symposium on Privacy Enhancing Technologies
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Evaluating the utility of anonymized network traces for intrusion detection
Proceedings of the 4th international conference on Security and privacy in communication netowrks
A taxonomy and adversarial model for attacks against network log anonymization
Proceedings of the 2009 ACM symposium on Applied Computing
Automating analysis of large-scale botnet probing events
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Hardening Botnet by a Rational Botmaster
Information Security and Cryptology
An Attacker-Defender Game for Honeynets
COCOON '09 Proceedings of the 15th Annual International Conference on Computing and Combinatorics
The role of network trace anonymization under attack
ACM SIGCOMM Computer Communication Review
Botnet: classification, attacks, detection, tracing, and preventive measures
ICICIC '09 Proceedings of the 2009 Fourth International Conference on Innovative Computing, Information and Control
Honeypot detection in advanced botnet attacks
International Journal of Information and Computer Security
Vortex: enabling cooperative selective wormholing for network security systems
RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Peeking through the cloud: DNS-based estimation and its applications
ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing
ACM Transactions on Internet Technology (TOIT)
Internet background radiation revisited
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
CollSec'10 Proceedings of the 2010 international conference on Collaborative methods for security and privacy
SEPIA: privacy-preserving aggregation of multi-domain network events and statistics
USENIX Security'10 Proceedings of the 19th USENIX conference on Security
On detecting active worms with varying scan rate
Computer Communications
Honeynet games: a game theoretic approach to defending network monitors
Journal of Combinatorial Optimization
Privacy-preserving distributed network troubleshooting—bridging the gap between theory and practice
ACM Transactions on Information and System Security (TISSEC)
Cloak and dagger: dynamics of web search cloaking
Proceedings of the 18th ACM conference on Computer and communications security
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Computer Networks: The International Journal of Computer and Telecommunications Networking
Demystifying internet-wide service discovery
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.00 |
Internet sensor networks, including honeypots and log analysis centers such as the SANS Internet Storm Center, are used as a tool to detect malicious Internet traffic. For maximum effectiveness, such networks publish public reports without disclosing sensor locations, so that the Internet community can take steps to counteract the malicious traffic. Maintaining sensor anonymity is critical because if the set of sensors is known, a malicious attacker could avoid the sensors entirely or could overwhelm the sensors with errant data. Motivated by the growing use of Internet sensors as a tool to monitor Internet traffic, we show that networks that publicly report statistics are vulnerable to intelligent probing to determine the location of sensors. In particular, we develop a new "probe response" attack technique with a number of optimizations for locating the sensors in currently deployed Internet sensor networks and illustrate the technique for a specific case study that shows how the attack would locate the sensors of the SANS Internet Storm Center using the published data from those sensors. Simulation results show that the attack can determine the identity of the sensors in this and other sensor networks in less than a week, even under a limited adversarial model. We detail critical vulnerabilities in several current anonymization schemes and demonstrate that we can quickly and efficiently discover the sensors even in the presence of sophisticated anonymity preserving methods such as prefix-preserving permutations or Bloom filters. Finally, we consider the characteristics of an Internet sensor which make it vulnerable to probe response attacks and discuss potential countermeasures.