Characteristics of internet background radiation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Toward understanding distributed blackhole placement
Proceedings of the 2004 ACM workshop on Rapid malcode
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
On the impact of route monitor selection
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Honey@home: a new approach to large-scale threat monitoring
Proceedings of the 2007 ACM workshop on Recurring malcode
Security against probe-response attacks in collaborative intrusion detection
Proceedings of the 2007 workshop on Large scale attack defense
Characterizing Dark DNS Behavior
DIMVA '07 Proceedings of the 4th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Shining Light in Dark Places: Understanding the Tor Network
PETS '08 Proceedings of the 8th international symposium on Privacy Enhancing Technologies
Vigilante: End-to-end containment of Internet worm epidemics
ACM Transactions on Computer Systems (TOCS)
Hardening Botnet by a Rational Botmaster
Information Security and Cryptology
An Attacker-Defender Game for Honeynets
COCOON '09 Proceedings of the 15th Annual International Conference on Computing and Combinatorics
Peeking through the cloud: DNS-based estimation and its applications
ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
A distributed detecting method for SYN flood attacks and its implementation using mobile agents
MATES'09 Proceedings of the 7th German conference on Multiagent system technologies
Peeking Through the Cloud: Client Density Estimation via DNS Cache Probing
ACM Transactions on Internet Technology (TOIT)
Demystifying service discovery: implementing an internet-wide scanner
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
CollSec'10 Proceedings of the 2010 international conference on Collaborative methods for security and privacy
On detecting active worms with varying scan rate
Computer Communications
Honeynet games: a game theoretic approach to defending network monitors
Journal of Combinatorial Optimization
The nepenthes platform: an efficient approach to collect malware
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Fast and evasive attacks: highlighting the challenges ahead
RAID'06 Proceedings of the 9th international conference on Recent Advances in Intrusion Detection
Demystifying internet-wide service discovery
IEEE/ACM Transactions on Networking (TON)
| Hi-index | 0.00 |
Passive Internet monitoring is a powerful tool for measuring and characterizing interesting network activity like worms or distributed denial of service attacks. By employing statistical analysis on the captured network traffic, Internet threat monitors gain valuable insight into the nature of Internet threats. In the past, these monitors have been successfully used not only to detect DoS attacks or worm outbreaks but also to monitor worm propagation trends and other malicious activities on the Internet. Today, passive Internet threat monitors are widely recognized as an important technology for detecting and understanding anomalies on the Internet in a macroscopic way. Unfortunately, monitors that publish their results on the Internet provide a feedback loop that can be used by adversaries to deduce a monitor's sensor locations. Knowledge of a monitor's sensor location can severely reduce its functionality as the captured data may have been tampered with and can no longer be trusted. This paper describes algorithms for detecting which address spaces an Internet threat monitor listens to and presents empirical evidences that they are successful in locating the sensor positions of monitors deployed on the Internet. We also present solutions to make passive Internet threat monitors "harder to detect".