Internet intrusions

Subscribe (Full Service)


	Search: The ACM Digital Library The Guide

	Feedback

Internet intrusions: global characteristics and prevalence

Full text

Pdf (699 KB)

Source

Joint International Conference on Measurement and Modeling of Computer Systems archive
Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems table of contents

San Diego, CA, USA

SESSION: Internet characterization table of contents

Pages: 138 - 147

Year of Publication: 2003

ISBN:1-58113-664-1

Also published in ...

Authors

Vinod Yegneswaran	University of Wisconsin, Madison, WI
Paul Barford	University of Wisconsin, Madison, WI
Johannes Ullrich	SANS Institute

Sponsor

ACM: Association for Computing Machinery

Publisher

ACM New York, NY, USA

Bibliometrics

Downloads (6 Weeks): 10, Downloads (12 Months): 110, Citation Count: 26

Additional Information:

abstract references cited by index terms collaborative colleagues

Tools and Actions:	Request Permissions Review this Article Save this Article to a Binder Display Formats: BibTeX EndNote ACM Ref

DOI Bookmark:	Use this link to bookmark this Article: http://doi.acm.org/10.1145/781027.781045 What is a DOI?

ABSTRACT

Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf's law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual "IP telescopes"; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrusion detection framework that would identify and isolate intrusions with greater precision and robustness than systems with limited perspective.

REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

	1	George Bakos. SQLsnake code analysis. http://www.incidents.org/diary/diary.php? -- id = 157, 2002.
	2	Paul Barford , Azer Bestavros , John Byers , Mark Crovella, On the marginal utility of network topology measurements, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA [doi>10.1145/505202.505204]
	3	CAIDA. CodeRed Worms a Global Threat. http://www.caida.org/analysis/security/code -- red/, 2001.
	4	CERT Coordination Center. http://www.cert.org, 2001.
	5	James Cowie, Andy T. Ogielski, B. J. Premore, and Yougu Yuan. Global Routing Instabilities Triggered by CodeRed II and Nimda Worm Attacks. http://www.renesys.com/projects/bgp_instability, 2001.
	6	Frédéric Cuppens , Alexandre Miège, Alert Correlation in a Cooperative Intrusion Detection Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.202, May 12-15, 2002
	7	Kevin Van Dixon. Spoof bounce. http://rr.sans.org/intrusion/spoof.php, 2001.
	8	Michalis Faloutsos , Petros Faloutsos , Christos Faloutsos, On power-law relationships of the Internet topology, Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, p.251-262, August 30-September 03, 1999, Cambridge, Massachusetts, United States
	9	Robert M. Gray, Entropy and information theory, Springer-Verlag New York, Inc., New York, NY, 1990
	10	HoneyNet Project. Know Your Enemy: Honeynets. http://project.honeynet.org, 2001.
	11	Brad Huffaker, Andre Broido, Kim Claffy, Marina Fomenkov, Sean McCreary, David Moore, and Oliver Jakubiec. Visualizing internet topology at a macrosocopic scale. http://www.caida.org/--analysis/topology/as_core_network/about.xml/, 2001.
	12	Eeye Security Inc. Microsoft IIS Buffer Overflow Advisory. http://www.eeye.com/html/--Research/Advisories/AD20010618.html, 2001.
	13	Richard Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman. Evaluating Intrusion Detection systems: 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of IEEE Security Symposium, 1998.
	14	McAfee. Virus alert. http://vil.nai.com/vil/content/v_9949.htm, 2002.
	15	David Meyer. University of Oregon Route Views Project. http://antc.uoregon.edu/route--views/, 2002.
	16	David Moore. Network Telescopes: Observing Small or Distant Security Events. http://www.caida.org/--outreach/presentations/2002/usenix_sec/, 2002.
	17	David Moore, Goeffrey Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, 2001.
	18	Vern Paxson. BRO: A System for Detecting Network Intruders in Real Time. In Proceedings of the 7th USENIX Security Symposium, 1998.
	19	Marty Roesch. The SNORT Network Intrusion Detection System. http://www.snort.org, 2002.
	20	Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
	21	Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
	22	Stuart Staniford , James A. Hoagland , Joseph M. McAlerney, Practical automated detection of stealthy portscans, Journal of Computer Security, v.10 n.1-2, p.105-136, 2002
	23	Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
	24	Johannes Ullrich. DSHIELD. http://www.dshield.org, 2000.
	25	Johannes Ullrich. MSSQL worm (sqlsnake) on the rise. http://www.incidents.org/diary/diary.php?--id = 156, 2002.
	26	Yin Zhang and Vern Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, 2000.
	27	G. Zipf. Human Behavior and the Principle of Least-Effort. Addison-Wesley, Cambridge, MA, 1949.

CITED BY 26

	Avinash Sridharan , Tao Ye, Tracking port scanners on the IP backbone, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan
	Michael Liljenstam , David M. Nicol , Vincent H. Berk , Robert S. Gray, Simulating realistic network worm traffic for worm warning system design and testing, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
	Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
	Anukool Lakhina , Konstantina Papagiannaki , Mark Crovella , Christophe Diot , Eric D. Kolaczyk , Nina Taft, Structural analysis of network traffic flows, ACM SIGMETRICS Performance Evaluation Review, v.32 n.1, June 2004
	Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004
	Alfonso Valdes , Martin Fong, Scalable visualization of propagating internet phenomena, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
	Vasileios Vlachos , Stephanos Androutsellis-Theotokis , Diomidis Spinellis, Security applications of peer-to-peer networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.45 n.2, p.195-205, 5 June 2004
	Anukool Lakhina , Mark Crovella , Christiphe Diot, Characterization of network-wide anomalies in traffic flows, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
	Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
	Graham Cormode , S. Muthukrishnan, What's new: finding significant differences in network data streams, IEEE/ACM Transactions on Networking (TON), v.13 n.6, p.1219-1232, December 2005
	Marc Lelarge , Jean Bolot, Network externalities and the deployment of security features and protocols in the internet, ACM SIGMETRICS Performance Evaluation Review, v.36 n.1, June 2008
	Andrew Kalafut , Abhinav Acharya , Minaxi Gupta, A study of malware in peer-to-peer networks, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
	Dana Zhang , Christopher Leckie, An evaluation technique for network intrusion detection systems, Proceedings of the 1st international conference on Scalable information systems, p.23-es, May 30-June 01, 2006, Hong Kong
	Zhichun Li , Yan Chen , Aaron Beach, Towards scalable and robust distributed intrusion alert fusion with good load balancing, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.115-122, September 11-15, 2006, Pisa, Italy
	Kalle Burbeck , Simin Nadjm-Tehrani, Adaptive real-time anomaly detection with incremental clustering, Information Security Tech. Report, v.12 n.1, p.56-67, January, 2007
	Robert Schweller , Zhichun Li , Yan Chen , Yan Gao , Ashish Gupta , Yin Zhang , Peter A. Dinda , Ming-Yang Kao , Gokhan Memik, Reversible sketches: enabling monitoring and analysis over high-speed data streams, IEEE/ACM Transactions on Networking (TON), v.15 n.5, p.1059-1072, October 2007
	Jian Zhang , Phillip Porras , Johannes Ullrich, Highly predictive blacklisting, Proceedings of the 17th conference on Security symposium, p.107-122, July 28-August 01, 2008, San Jose, CA
	Phillip Porras , Vitaly Shmatikov, Large-scale collection and sanitization of network security data: risks and challenges, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
	Carrie Gates , Carol Taylor, Challenging the anomaly detection paradigm: a provocative discussion, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
	Mark Allman , Vern Paxson , Jeff Terrell, A brief history of scanning, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
	Martin Drozda , Sebastian Schildt , Sven Schaust , Sandra Einhellinger , Helena Szczerbicka, A TOOL FOR PROTOTYPING AIS BASED PROTECTION SYSTEMS FOR AD HOC AND SENSOR NETWORKS, Cybernetics and Systems, v.39 n.7, p.719-742, October 2008
	Richard J Barnett , Barry Irwin, Towards a taxonomy of network scanning techniques, Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology, p.1-7, October 06-08, 2008, Wilderness, South Africa
	Michalis Polychronakis , Kostas G. Anagnostakis , Evangelos P. Markatos, Real-world polymorphic attack detection using network-level emulation, Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee
	Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Internet traffic behavior profiling for network security monitoring, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1241-1252, December 2008
	Patrick P. C. Lee , Tian Bu , Thomas Woo, On the detection of signaling DoS attacks on 3G/WiMax wireless networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.53 n.15, p.2601-2616, October, 2009