ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Internet intrusions: global characteristics and prevalence
Full text PdfPdf (699 KB)
Source ACM SIGMETRICS Performance Evaluation Review archive
Volume 31 ,  Issue 1  (June 2003) table of contents
SESSION: Internet characterization table of contents
Pages: 138 - 147  
Year of Publication: 2003
ISSN:0163-5999
Also published in ...
Authors
Vinod Yegneswaran  University of Wisconsin, Madison, WI
Paul Barford  University of Wisconsin, Madison, WI
Johannes Ullrich  SANS Institute
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 10,   Downloads (12 Months): 110,   Citation Count: 26
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/885651.781045
What is a DOI?

ABSTRACT

Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf's law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual "IP telescopes"; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrusion detection framework that would identify and isolate intrusions with greater precision and robustness than systems with limited perspective.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
George Bakos. SQLsnake code analysis. http://www.incidents.org/diary/diary.php? -- id = 157, 2002.
2
Paul Barford , Azer Bestavros , John Byers , Mark Crovella, On the marginal utility of network topology measurements, Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, November 01-02, 2001, San Francisco, California, USA  [doi>10.1145/505202.505204]
 
3
CAIDA. CodeRed Worms a Global Threat. http://www.caida.org/analysis/security/code -- red/, 2001.
 
4
CERT Coordination Center. http://www.cert.org, 2001.
 
5
James Cowie, Andy T. Ogielski, B. J. Premore, and Yougu Yuan. Global Routing Instabilities Triggered by CodeRed II and Nimda Worm Attacks. http://www.renesys.com/projects/bgp_instability, 2001.
 
6
Frédéric Cuppens , Alexandre Miège, Alert Correlation in a Cooperative Intrusion Detection Framework, Proceedings of the 2002 IEEE Symposium on Security and Privacy, p.202, May 12-15, 2002
 
7
Kevin Van Dixon. Spoof bounce. http://rr.sans.org/intrusion/spoof.php, 2001.
8
Michalis Faloutsos , Petros Faloutsos , Christos Faloutsos, On power-law relationships of the Internet topology, Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, p.251-262, August 30-September 03, 1999, Cambridge, Massachusetts, United States
 
9
Robert M. Gray, Entropy and information theory, Springer-Verlag New York, Inc., New York, NY, 1990
 
10
HoneyNet Project. Know Your Enemy: Honeynets. http://project.honeynet.org, 2001.
 
11
Brad Huffaker, Andre Broido, Kim Claffy, Marina Fomenkov, Sean McCreary, David Moore, and Oliver Jakubiec. Visualizing internet topology at a macrosocopic scale. http://www.caida.org/--analysis/topology/as_core_network/about.xml/, 2001.
 
12
Eeye Security Inc. Microsoft IIS Buffer Overflow Advisory. http://www.eeye.com/html/--Research/Advisories/AD20010618.html, 2001.
 
13
Richard Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman. Evaluating Intrusion Detection systems: 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of IEEE Security Symposium, 1998.
 
14
McAfee. Virus alert. http://vil.nai.com/vil/content/v_9949.htm, 2002.
 
15
David Meyer. University of Oregon Route Views Project. http://antc.uoregon.edu/route--views/, 2002.
 
16
David Moore. Network Telescopes: Observing Small or Distant Security Events. http://www.caida.org/--outreach/presentations/2002/usenix_sec/, 2002.
 
17
David Moore, Goeffrey Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, 2001.
 
18
Vern Paxson. BRO: A System for Detecting Network Intruders in Real Time. In Proceedings of the 7th USENIX Security Symposium, 1998.
 
19
Marty Roesch. The SNORT Network Intrusion Detection System. http://www.snort.org, 2002.
20
Stefan Savage , David Wetherall , Anna Karlin , Tom Anderson, Practical network support for IP traceback, Proceedings of the conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, p.295-306, August 28-September 01, 2000, Stockholm, Sweden
21
Alex C. Snoeren, Hash-based IP traceback, Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications, p.3-14, August 2001, San Diego, California, United States
 
22
Stuart Staniford , James A. Hoagland , Joseph M. McAlerney, Practical automated detection of stealthy portscans, Journal of Computer Security, v.10 n.1-2, p.105-136, 2002
 
23
Stuart Staniford , Vern Paxson , Nicholas Weaver, How to Own the Internet in Your Spare Time, Proceedings of the 11th USENIX Security Symposium, p.149-167, August 05-09, 2002
 
24
Johannes Ullrich. DSHIELD. http://www.dshield.org, 2000.
 
25
Johannes Ullrich. MSSQL worm (sqlsnake) on the rise. http://www.incidents.org/diary/diary.php?--id = 156, 2002.
 
26
Yin Zhang and Vern Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, 2000.
 
27
G. Zipf. Human Behavior and the Principle of Least-Effort. Addison-Wesley, Cambridge, MA, 1949.

CITED BY  26
Avinash Sridharan , Tao Ye, Tracking port scanners on the IP backbone, Proceedings of the 2007 workshop on Large scale attack defense, August 27-27, 2007, Kyoto, Japan
Michael Liljenstam , David M. Nicol , Vincent H. Berk , Robert S. Gray, Simulating realistic network worm traffic for worm warning system design and testing, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA
Ruoming Pang , Vinod Yegneswaran , Paul Barford , Vern Paxson , Larry Peterson, Characteristics of internet background radiation, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
Cliff Changchun Zou , Lixin Gao , Weibo Gong , Don Towsley, Monitoring and early warning for internet worms, Proceedings of the 10th ACM conference on Computer and communications security, October 27-30, 2003, Washington D.C., USA
Anukool Lakhina , Konstantina Papagiannaki , Mark Crovella , Christophe Diot , Eric D. Kolaczyk , Nina Taft, Structural analysis of network traffic flows, ACM SIGMETRICS Performance Evaluation Review, v.32 n.1, June 2004
Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004
Alfonso Valdes , Martin Fong, Scalable visualization of propagating internet phenomena, Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, October 29-29, 2004, Washington DC, USA
Vasileios Vlachos , Stephanos Androutsellis-Theotokis , Diomidis Spinellis, Security applications of peer-to-peer networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.45 n.2, p.195-205, 5 June 2004
Anukool Lakhina , Mark Crovella , Christiphe Diot, Characterization of network-wide anomalies in traffic flows, Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, October 25-27, 2004, Taormina, Sicily, Italy
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
Graham Cormode , S. Muthukrishnan, What's new: finding significant differences in network data streams, IEEE/ACM Transactions on Networking (TON), v.13 n.6, p.1219-1232, December 2005
Marc Lelarge , Jean Bolot, Network externalities and the deployment of security features and protocols in the internet, ACM SIGMETRICS Performance Evaluation Review, v.36 n.1, June 2008
Andrew Kalafut , Abhinav Acharya , Minaxi Gupta, A study of malware in peer-to-peer networks, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
Dana Zhang , Christopher Leckie, An evaluation technique for network intrusion detection systems, Proceedings of the 1st international conference on Scalable information systems, p.23-es, May 30-June 01, 2006, Hong Kong
Zhichun Li , Yan Chen , Aaron Beach, Towards scalable and robust distributed intrusion alert fusion with good load balancing, Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, p.115-122, September 11-15, 2006, Pisa, Italy
Kalle Burbeck , Simin Nadjm-Tehrani, Adaptive real-time anomaly detection with incremental clustering, Information Security Tech. Report, v.12 n.1, p.56-67, January, 2007
Robert Schweller , Zhichun Li , Yan Chen , Yan Gao , Ashish Gupta , Yin Zhang , Peter A. Dinda , Ming-Yang Kao , Gokhan Memik, Reversible sketches: enabling monitoring and analysis over high-speed data streams, IEEE/ACM Transactions on Networking (TON), v.15 n.5, p.1059-1072, October 2007
Jian Zhang , Phillip Porras , Johannes Ullrich, Highly predictive blacklisting, Proceedings of the 17th conference on Security symposium, p.107-122, July 28-August 01, 2008, San Jose, CA
Phillip Porras , Vitaly Shmatikov, Large-scale collection and sanitization of network security data: risks and challenges, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
Carrie Gates , Carol Taylor, Challenging the anomaly detection paradigm: a provocative discussion, Proceedings of the 2006 workshop on New security paradigms, September 19-22, 2006, Germany
Mark Allman , Vern Paxson , Jeff Terrell, A brief history of scanning, Proceedings of the 7th ACM SIGCOMM conference on Internet measurement, October 24-26, 2007, San Diego, California, USA
Martin Drozda , Sebastian Schildt , Sven Schaust , Sandra Einhellinger , Helena Szczerbicka, A TOOL FOR PROTOTYPING AIS BASED PROTECTION SYSTEMS FOR AD HOC AND SENSOR NETWORKS, Cybernetics and Systems, v.39 n.7, p.719-742, October 2008
Richard J Barnett , Barry Irwin, Towards a taxonomy of network scanning techniques, Proceedings of the 2008 annual research conference of the South African Institute of Computer Scientists and Information Technologists on IT research in developing countries: riding the wave of technology, p.1-7, October 06-08, 2008, Wilderness, South Africa
Michalis Polychronakis , Kostas G. Anagnostakis , Evangelos P. Markatos, Real-world polymorphic attack detection using network-level emulation, Proceedings of the 4th annual workshop on Cyber security and informaiton intelligence research: developing strategies to meet the cyber security and information intelligence challenges ahead, May 12-14, 2008, Oak Ridge, Tennessee
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Internet traffic behavior profiling for network security monitoring, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1241-1252, December 2008
Patrick P. C. Lee , Tian Bu , Thomas Woo, On the detection of signaling DoS attacks on 3G/WiMax wireless networks, Computer Networks: The International Journal of Computer and Telecommunications Networking, v.53 n.15, p.2601-2616, October, 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.0 General
          Subjects: Security and protection (e.g., firewalls)

Additional Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations
          Subjects: Network monitoring
  C.4 PERFORMANCE OF SYSTEMS
      Subjects: Performance attributes; Modeling techniques; Measurement techniques


General Terms:
Measurement, Performance, Security


Keywords:
internet performance and monitoring, network security, wide area measurement

Collaborative Colleagues:
Vinod Yegneswaran: colleagues
Paul Barford: colleagues
Johannes Ullrich: colleagues
This Article has also been published in:

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player