An orchestration approach for unwanted Internet traffic identification

Computer Networks

Volumn 56, Issue 12, 2012, Pages 2805-2831

  Feitosa, Eduardo ^a,b   Souto, Eduardo ^b   Sadok, Djamel H ^a  

^a FEDERAL UNIVERSITY OF PERNAMBUCO   (Brazil)

^b FEDERAL UNIVERSITY OF AMAZONAS   (Brazil)

Author keywords

Alert correlation; Dempster Shafer Theory; Frequent episodes discovery; Orchestration; Unwanted Internet traffic

Indexed keywords

ALERT CORRELATION; DEMPSTER-SHAFER THEORY; FREQUENT EPISODES; INTERNET TRAFFIC; ORCHESTRATION;

DISTRIBUTED COMPUTER SYSTEMS; NETWORK PERFORMANCE;

INTERNET;

EID: 84863616826     PISSN: 13891286     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.comnet.2012.04.018     Document Type: Article

References (87)

1. CSI, Computer Security Institute. < http://www.gocsi.com >.
2. L.A. Gordon, M.P. Loeb, W. Lucyshyn, R. Rich, 2005 CSI/FBI Computer Crime Survey, in: 10th Annual Computer Crime and Security, 2005.
3. L.A. Gordon, M.P. Loeb, W. Lucyshyn, R. Rich, 2006 CSI/FBI Computer Crime Survey, in: 11th Annual Computer Crime and Security, 2006.
4. R. Richardson, 2007 CSI/FBI Computer Crime Survey, in: 12th Annual Computer Crime and Security, 2007.
5. Gartner, Gartner. < http://www.gartner.com >.
6. Radicati Group, Corporate Email Market 2006-2010. < http://www.radicati.com >.
7. F. Ricciato Unwanted traffic in 3G network SIGCOMM Computer Communications Review 36 2 2006 53 56
8. L. Anderson, E. Davies, L. Zhang, Report from the IAB workshop on Unwanted Traffic March 9-10 2006, IETF, Internet Informational RFC 4948, 2007.
9. B. Krishnamurthy, Unwanted traffic: Important problems, research approaches, in: Internet Architecture Board Workshop, 2006.
10. E. Davies Unwanted traffic IETF Journal 2007
11. C.V. Zhou, C. Leckie, and S. Karunasekera A survey of coordinated attacks and collaborative intrusion detection Computer & Security 29 1 2010 124 140
12. D. Sadok, E. Souto, E. Feitosa, J. Kelner, and L. Westberg RIP - a robust IP access architecture Computers & Security 28 6 2009 359 380
13. T. Gamer, M. Scharf, and M. Schöller Collaborative anomaly-based attack detection Self-Organizing Systems 4725/2007 2007 280 287
14. H.A. Ringberg, Privacy-Preserving Collaborative, Ph.D. thesis, Princeton University, 2009, p. 128.
15. E.H. Spafford The Internet worm program: an analysis SIGCOMM Computer Communications Review 19 1 1989 17 57
16. CNN, Cyber-attacks batter Web heavyweights. < http://www.cnn.com/2000/ TECH/computing/02/09/cyber.attacks.01/index.html >.
17. K. Xu, Z-L. Zhang, S. Bhattacharyya, Reducing unwanted traffic in a backbone network, in: Steps of Reducing Unwanted Traffic on the Internet Workshop (SRUTI), 2005.
18. J. Yarden, Case study: how much does unwanted Internet traffic really cost an organization? < http://articles.techrepublic.com.com/5100-10878-11- 5967393.html >.
19. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, L. Peterson, Characteristics of Internet background radiation, in: Proceedings of the 4th ACM SIGCOMM Conference on Internet Measurement, 2004, pp. 27-40. (Pubitemid 40372029)
20. E.L. Feitosa, E. Souto, and D. Sadok Unwanted Internet traffic: concepts, characterization, and solutions Textbook of Mini courses of the VIII of the Brazilian Symposium on Information Security and Computing Systems (SBSeg'08) 2008 SBC Porto Alegre, Brazil (Chapter 3)
21. A. Brodsky, Comcast Case Is A Victory for the Internet. < http://www.publicknowledge.org/node/1686 >.
22. F-Secure, F-Secure Malware Information Pages: Small.DAM. < http://www.f-secure.com/v-descs/small-dam.shtml >.
23. Force10 Networks, P-Series Overview, 2008. < http://www. force10networks.com/products/pseries.asp >.
24. Cetacea Networks, OrcaFlow: Terabit-Class Network Traffic Anomaly Detection, 2008. < http://www.orcaflow.ca/orcaflow-ca >.
25. CloudShield Technologies, Hardware Solutions, 2008. < http://www.cloudshield.com/platform/hardware.asp.
26. Snort, 2009. < http://www.snort.org >.
27. NFS, Bro Intrusion Detection System, 2009. < http://bro-ids.org >.
28. Prelude-IDS Technologies, Prelude-IDS, 2009. < http://www.prelude-ids. com >.
29. N. Provos, Honeyd, 2009. < http://www.honeyd.org >.
30. Nephentes, 2009. < http://nepenthes.carnivore.it >.
31. N. Ye, Q. Chen, and C.M. Borror EWMA forecast of normal system activity for computer intrusion detection IEEE Transactions on Reliability 53 4 2004 557 566
32. J. Pikoulas, W. Buchanan, M. Mannion, K. Triantafyllopoulos, An agent-based bayesian forecasting model for enhanced network security, in: IEEE International Conference on Engineering of Computer-based Systems, 2001, pp. 247-254. (Pubitemid 32542139)
33. P. Hu, M.I. Heywood, Predicting intrusion with local linear models, in: Proceedings of the International Joint Conference on Neural Networks, 2003, pp. 1780-1785.
34. K. Xu, Z. Zhang, S. Bhattacharyya, Profiling Internet backbone traffic: behavior models and applications, in: 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM '05), Philadelphia, Pennsylvania, USA, 2005, pp. 169-180. (Pubitemid 46323502)
35. L.H. Vilaça, E.L. Feitosa, D. Sadok, and J. Kelner Applying the frequency of episodes in alert correlation 10th Brazilian Symposium of Information Security and Computer Systems (SBSeg 2010) 2010 SBC Fortaleza, Brazil 241 254
36. H. Mannila, H. Toivonen, and A. Inkeri Verkamo Discovery of frequent episodes in event sequences Data Mining and Knowledge Discovery 1 3 1997 259 289 (Pubitemid 127721244)
37. MIT Lincoln Laboratory, DARPA Intrusion Detection Scenario Specific Data Sets, 2000. < http://www.ll.mit.edu/mission/communications/ist/corpora/ ideval/data/index.html >.
38. M. Qin, K. Hwang, Frequent episode rules for intrusive anomaly detection with internet data mining, in: USENIX Security Symposium, 2004.
39. B. Lins, E.L. Feitosa, and D. Sadok Applying Dempster-Shafer evidence theory in anomaly detection XXVII Brazilian Symposium of Computer Networks and Distributed Systems (SBRC'09) 2009 SBC Recife, Brazil 583 596
40. A.P. Dempster Upper and lower probabilities induced by a multivalued mapping Annals Mathematics Statistics 38 1967 325 339
41. A.P. Dempster Upper and lower probability inferences based on a sample from a finite univariate population Biometrika 54 1967 515 528
42. G. Shafer A Mathematical Theory of Evidence 1976 Princeton University Press Princeton
43. T. Reineking, Java Dempster Shafer Library, 2009. < http://sourceforge.net/projects/jds >.
44. OASIS, Web Services Business Process Execution Language Version 2.0, 2007. < http://docs.oasis-open.org/wsbpel/2.0/OS/wsbpel-v2.0-OS.html >.
45. T. Erl Service-Oriented Architecture: A Field Guide to Integrating XML and Web Services 2004 Prentice Hall PTR
46. Emerging Threats, 2010. < http://www.emergingthreates.net >.
47. Intrusense Packit, Network injection and capture, 2010. < http://www.intrusense.com/software/packit >.
48. Scapy, 2010. < http://www.secdev.org/projects/scapy >.
49. Ha.ckers, Slowloris HTTP DoS, 2010. < http://ha.ckers.org/slowloris >.
50. R. Hyatt Keeping DNS trustworthy ISSA Journal 2006 37 38
51. D. Kaminsky, The emergency of a theme, 2008. < http://www.doxpara.com/ ?p=1231 >.
52. Symantec, Outbreak alert: storm trojan, 2007. < http://www.symantec. com/outbreak/storm-trojan.html >.
53. Y. Robiah, S. Siti Rahayu, S. Shahrin, M.A. Faizal, M. Mohd Zaki, and R. Marliza New multi-step worm attack model Journal of Computing 2 1 2010
54. CERT, CERT Advisory CA-2003-20 W32/Blaster worm, 2003. < http://www.cert.org/advisories/CA-2003-20.html >.
55. TFTPy, TFTPy - A Pure Python TFTP Implementation, 2010. < http://tftpy.sourceforge.net >.
56. E.L. Feitosa, L.E. Oliveira, B. Lins, A. Carvalho Jr., R. Melo, D. Sadok, and U. Carmo Security information architecture for automation and control networks 8th Brazilian Symposium of Information Security and Computer Systems, Rio Grande do Sul 2008 SBC Brazil 17 30
57. IEEE, Standards for Local and Metropolitan Area Networks: Port based Network Access Control, IEEE Standard 802.1X-2001, June 2001.
58. SERPRO, Brazilian Federal Service of Data Processing, 2011. < http://www.serpro.gov.br >.
59. P.A. Porras, P.G. Neumann, EMERALD: event monitoring enabling responses to anomalous live disturbances, in: 20th National Information System Security Conference, 1997, pp. 353-357.
60. J. Mirkovic, and P. Reiher D-WARD: source-end defense against distributed denial-of-service attacks IEEE Transactions on Dependable and Secure Computing Archive 2 3 2005 216 232 (Pubitemid 41560432)
61. C. Papadopoulos, R. Lindell, J. Mehringer, A. Hussain, R. Govindan, Cossack: coordinated suppression of simultaneous attacks, in: Proceedings of 3rd DARPA information Survivability Conference and Exposition (DISCEX 2003), vol. 2, April 2003, pp. 94-96.
62. J. Mirkovic, M. Robinson, P. Reiher, and G. Kuenning Forming alliance for DDoS defenses Proceeding of the New Security Paradigms Workshop 2003 ACM Press 11 18
63. C. Edward, Y. Cai, D. Wilkinson, Secure collective defense system, in: IEEE Global Telecommunications Conference, 2004, pp. 2245-2249. (Pubitemid 40611005)
64. C.V. Zhou, C. Leckie, and S. Karunasekera Decentralized multi-dimensional alert correlation for collaborative intrusion detection Journal of Network and Computer Applications 2009 1106 1123
65. A.K. Ganame, J. Bourgeoisa, R. Bidou, and F. Spiesa A global security architecture for intrusion detection on computer networks Computers & Security 27 2008 30 47
66. A. Servin, and D. Kudenko Multi-agent reinforcement learning for intrusion detection Lecture Notes in Computer Science 4865 2008 211 223
67. Y.M.Z. Dayong, B. Quan, Z. Ye, P2P distributed intrusion detections by using mobile agents, in: Seventh IEEE/ACIS International Conference on Computer and Information Science, 2008 (ICIS 08), May 2008, pp. 259-65.
68. M. Rehak, M. Pechoucek, P. Celeda, V. Krmicek, P. Minarik, and D. Medvigy Collaborative attack detection in high-speed networks Proceedings of the 5th International Central and Eastern European conference on Multi-Agent Systems and Applications (CEEMAS'07) 2007 Springer Leipzig, Germany pp. 73-82
69. CAIDA, A day in the life of the Internet, 2008. < http://www.caida. org/projects/ditl/ >.
70. B. Lins, An Aggregation and Prioritization Scheme for Multi-Source Alerts, M.Sc. thesis, Federal University of Pernambuco, 2011.
71. CAIDA, The CAIDA DDoS Attack 2007 Dataset, 2010. < http://www.caida.org/data/passive/ddos-20070804-dataset.xml >.
72. UMASS Trace Repository, UMASS Trace Repository, 2010. < http://trace.cs.umass.edu >.
73. MAWI, MAWI Working Group Traffic Archive, 2010. < http://mawi.wide.ad. jp/mawi >.
74. H. Curry, D. Feinstein, B. Debar, The Intrusion Detection Message Exchange Format (IDMEF), IETF, Internet Experimental RFC 4765, 2007.
75. R. Danyliw, J. Meijer, Y. Demchenko, The Incident Object Description Exchange Format, IETF, Internet proposed standard RFC 5070, 2007.
76. B. Feinstein, G. Matthews, The Intrusion Detection Exchange Protocol, IETF, Internet experimental RFC 4767, 2007.
77. W3C, WSDL W3C Recommendation, 2007. < http://www.w3.org/TR/wsdl20- primer >.
78. W3C, OWL W3C Recommendation, 2004. < http://www.w3.org/TR/owl-features >.
79. P. Lincoln, P. Porra, V. Shmatikov, Privacy-preserving sharing and correlation of security alert, in: 13th USENIX Security Symposium, 2004, pp. 239-254.
80. D. Xu, P. Ning, Privacy-preserving alert correlation: a concept hierarchy based approach, in: 21st Annual Computer Security Applications Conference (ACSAC), 2005, pp. 489-498.
81. P. Gross, J. Parekh, G. Kaiser, Secure selecticast for collaborative intrusion detection systems, in: 3rd International Workshop on Distributed Event-based Systems (DEBS), 2004.
82. R. Janakiraman, M. Waldvogel, Q. Zhang, Indra: a peer-to-peer approach to network intrusion detection and prevention, in: IEEE WETICE 2003 Workshop on Enterprise Security, Linz, Austria, 2003, pp. 226-231.
83. V. Yegneswaran, P. Barford, S. Jha, Global intrusion detection in the DOMINO overlay system, Network and Distributed Security Symposium (NDSS), 2004.
84. J.E.M.S. Brandão, J.S. Fraga, P.M. Mafra, R.R. Obelheiro, A WS-based infrastructure for integrating intrusion detection systems in large-scale environments, in: CoopIS/DOA/ODBASE/GADA, 2006.
85. OASIS, Web services security: SOAP message security 1.0, 2009. < http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1. 0.pfd >.
86. T. Imamura, B. Dillaway, E. Simon. XML Encryption syntax and processing, W3C recommendation, 2002.
87. D. Eastlake, J. Reagle, D. Solo, XML-signature syntax and processing, IETF, Standards Track RFC 3275, 2002.