Data reduction for the scalable automated analysis of distributed darknet traffic

Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Volumn , Issue , 2005, Pages 239-252

  Bailey, Michael ^a   Cooke, Evan ^a   Jahanian, Farnam ^a   Provos, Niels ^b   Rosaen, Karl ^a   Watson, David ^a  

^a UNIVERSITY OF MICHIGAN   (United States)

^b GOOGLE INC   (United States)

Author keywords

[No Author keywords available]

Indexed keywords

ATTACK BEHAVIOR; AUTOMATED ANALYSIS; GLOBAL BEHAVIORS; HONEYPOTS; INTERNET INFRASTRUCTURE; NUMBER OF SOURCES; PRODUCTION NETWORK; RANDOM SCANNING;

HYBRID SYSTEMS;

SCANNING;

EID: 84878677794     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: None     Document Type: Conference Paper

References (41)

1. Michael Bailey, Evan Cooke, Tim Battles, and Danny McPherson. Tracking global threats with the Internet Motion Sensor. 32nd Meeting of the North American Network Operators Group, October 2004.
2. Michael Bailey, Evan Cooke, Farnam Jahanian, Jose Nazario, and David Watson. The Internet Motion Sensor: A distributed blackhole monitoring system. In Proceedings of Network and Distributed System Security Symposium (NDSS '05), San Diego, CA, February 2005.
3. Michael Bailey, Evan Cooke, David Watson, Faranam Jahanian, and Jose Nazario. The Blaster Worm: Then and Now. IEEE Security & Privacy, 3(4):26-31, 2005.
4. Lawrence Baldwin. My Net Watchman - Network Intrusion Detection and Reporting. http://www.mynetwatchman.com/, 2005.
5. Bill Cheswick. An evening with Berferd in which a cracker is lured, endured, and studied. In Proceedings of the Winter 1992 USENIX Conference: January 20 - January 24, 1992, San Francisco, California, pages 163-174, Berkeley, CA, USA, Winter 1992.
6. Fred Cohen. A Short Course on Computer Viruses. John Wiley & Sons, 2nd edition, April 1994.
7. Evan Cooke, Michael Bailey, Z. Morley Mao, David Watson, and Farnam Jahanian. Toward understanding distributed blackhole placement. In Proceedings of the 2004 ACM Workshop on Rapid Malcode (WORM-04), New York, October 29 2004. ACM Press.
8. Team CYMRU. The darknet project. http://www.cymru.com/Darknet/index.html, June 2004.
9. David Dagon, Xinzhou Qin, Guofei Gu, Julian Grizzard, John Levine, Wenke Lee, and Henry Owen. Honeystat: Local worm detection using honeypots. In Recent Advances in Intrusion Detection, 7th International Symposium, (RAID 2004), Lecture Notes in Computer Science, Sophia-Antipolis, French Riviera, France, October 2004. Springer.
10. Stephanie Forrest, Steven A. Hofmeyr, Anil Somayaji, and Thomas A. Longstaff. A sense of self for Unix processes. In Proceedings of the IEEE Symposium on Research in Security and Privacy, pages 120-128, Oakland, CA, May 1996.
11. Andrea L. Foster. Colleges Brace for the Next Worm. The Chronicle of Higher Education, 50(28), 2004.
12. Joseph L. Hellerstein, Fan Zhang, and Shahabuddin Shahabuddin. A statistical approach to predictive detection. Computer Networks (Amsterdam, Netherlands: 1999), 35(1):77-95, January 2001.
13. Cisco Systems Inc. Netflow services and applications. http://www.cisco.com/warp/public/cc/pd/iosw/ioft/neflct/tech/nappswp.htm, 2002.
14. Chuanyi Ji and Marina Thottan. Adaptive thresholding for proactive network problem detection. In Third IEEE International Workshop on Systems Management, pages 108-116, Newport, Rhode Island, April 1998.
15. Xuxian Jiang and Dongyan Xu. Collapsar: A VM-based architecture for network attack detention center. In Proceedings of the 13th USENIX Security Symposium, San Diego, CA, USA, August 2004.
16. Samuel T. King and Peter M. Chen. Backtracking intrusions. In Proceedings of the 19th ACM Symposium on Operating Systems Principles (SOSP'03), pages 223-236, Bolton Landing, NY, USA, October 2003. ACM.
17. Lad, Zhao, Zhang, Massey, and Zhang. Analysis of BGP update surge during slammer worm attack. In International Workshop on Distributed Computing: Mobile and Wireless Computing, LNCS, volume 5, 2003.
18. C. Leckie and R. Kotagiri. A probabilistic approach to detecting network scans. In Proceedings of the Eighth IEEE Network Operations and Management Symposium (NOMS 2002), pages 359-372, Florence, Italy, April 2002.
19. Robert Lemos. MySQL worm halted. http://ecoustics-cnet.com.com/ MySQL+worm+halted/2100-73493-5555242.html, January 2005.
20. G. Robert Malan and Farnam Jahanian. An extensible probe architecture for network protocol performance measurement. In Proceedings of ACM SIGCOMM, pages 177-185, Vancouver, British Columbia, September 1998.
21. David Moore, Vern Paxson, Stefan Savage, Colleen Shannon, Stuart Staniford, and Nicholas Weaver. Inside the Slammer worm. IEEE Security & Privacy, 1(4):33-39, 2003.
22. David Moore, Colleen Shannon, Geoffrey M. Voelker, and Stefan Savage. Network telescopes. Technical Report CS2004-0795, UC San Diego, July 2004.
23. David Moore, Geoffrey M. Voelker, and Stefan Savage. Inferring Internet denial-of-service activity. In Proceedings of the Tenth USENIX Security Symposium, pages 9-22, Washington, D.C., August 2001.
24. Ruoming Pang, Vinod Yegneswaran, Paul Barford, Vern Paxson, and Larry Peterson. Characteristics of Internet background radiation. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, pages 27-40. ACM Press, 2004.
25. Niels Provos. A Virtual Honeypot Framework. In Proceedings of the 13th USENIX Security Symposium, pages 1-14, San Diego, CA, USA, August 2004.
26. Reuters. Bank of America ATMs disrupted by virus. http://archive. infoworld.com/togo/1.html, January 2003.
27. S. Robertson, E. Siegel, M. Miller, and Stolfo Stolfo. Surveillance detection in high bandwidth environments. In Proceedings of the Third DARPA Information Survivability Conference and Exposition (DISCEX 2003). IEEE Computer Society Press, April 2003.
28. Martin Roesch. Snort - lightweight intrusion detection for networks. In USENIX, editor, Proceedings of the Thirteenth Systems Administration Conference (LISA XIII): November 7 - 12, 1999, Seattle, WA, USA, Berkeley, CA, USA, 1999. USENIX.
29. Amos Ron, David Plonka, Jeffery Kline, and Paul Barford. A signal analysis of network traffic anomalies. Internet Measurement Workshop 2002, August 09 2002.
30. Stefan Savage, Geoffrey Voelker, George Varghese, Vern Paxson, and Nicholas Weaver. Center for Internet epidemiology and defenses. NSF CyberTrust Center Proposal, 2004.
31. Colleen Shannon and David Moore. The spread of the Witty worm. IEEE Security & Privacy, 2(4):46-50, July/August 2004.
32. Colleen Shannon, David Moore, and Jeffery Brown. Code-red: a case study on the spread and victims of an Internet worm. In Proceedings of the Internet Measurement Workshop (IMW), December 2002.
33. Dug Song, Rob Malan, and Robert Stone. A snapshot of global Internet worm activity. FIRST Conference on Computer Security Incident Handling and Response, June 2002.
34. Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley, 2002.
35. Lance Spitzner et al. The honeynet project. http://project.honeynet.org/, June 2004.
36. Symantec Corporation. DeepSight Analyzer. http://analyzer.securityfocus. com/, 2005.
37. Johannes Ullrich. DSHIELD. http://www.dshield.org, 2000.
38. Paul Barford Vinod Yegneswaran and Dave Plonka. On the design and use of Internet sinks for network abuse monitoring. In Recent Advances in Intrusion Detection - Proceedings of the 7th International Symposium (RAID 2004), Sophia Antipolis, French Riviera, France, October 2004.
39. Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Van-dekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage. Scalability, fidelity and containment in the potemkin virtual honey-farm. In To appear in Proceedings of the 20th ACM Symposium on Operating System Principles (SOSP), Brighton, UK, October 2005.
40. J. Wu, S. Vangala, L. Gao, and K. Kwiat. An effective architecture and algorithm for detecting worms with various scan techniques. In Proceedings of the Symposium on Network and Distributed Systems Security (NDSS 2004), San Diego, CA, February 2004. Internet Society.
41. Vinod Yegneswaran, Paul Barford, and Somesh Jha. Global intrusion detection in the DOMINO overlay system. In Proceedings of Network and Distributed System Security Symposium (NDSS '04), San Diego, CA, February 2004.