AI helps you reading Science

AI generates interpretation videos

AI extracts and analyses the key points of the paper to generate videos automatically


pub
Go Generating

AI Traceability

AI parses the academic lineage of this thesis


Master Reading Tree
Generate MRT

AI Insight

AI extracts a summary of this paper


Weibo:
We simulated a probe response attack on the SANS Internet Storm Center, as well as on various distributions of sensor nodes that could occur in other sensor networks, and were able to determine the set of monitored addresses within a few days with limited resources

Mapping internet sensors with probe response attacks

USENIX Security, pp.13-13, (2005)

Cited by: 168|Views130
EI
Full Text
Bibtex
Weibo

Abstract

Internet sensor networks, including honeypots and log analysis centers such as the SANS Internet Storm Center, are used as a tool to detect malicious Internet traffic. For maximum effectiveness, such networks publish public reports without disclosing sensor locations, so that the Internet community can take steps to counteract the malicio...More

Code:

Data:

Introduction
  • The occurrence of widespread Internet attacks has resulted in the creation of systems for monitoring and producing statistics related to Internet traffic patterns and anomalies
  • Such systems include log collection and analysis centers [1, 2, 3, 4, 5], collaborative intrusion detection systems [6, 7], honeypots [8, 9], Internet sinks [10], and network telescopes [11].
  • It is quite possible to send several TCP/IP packets to every address; the practical issues relating to such a task are considered in Section 5
Highlights
  • The occurrence of widespread Internet attacks has resulted in the creation of systems for monitoring and producing statistics related to Internet traffic patterns and anomalies
  • Such systems include log collection and analysis centers [1, 2, 3, 4, 5], collaborative intrusion detection systems [6, 7], honeypots [8, 9], Internet sinks [10], and network telescopes [11]. The integrity of these systems is based upon the critical assumption that the IP addresses of systems that serve as sensors are secret
  • In this paper we developed a general attack technique called probe response, which is capable of determining the location of Internet sensors that publicly display statistics
  • We simulated a probe response attack on the SANS Internet Storm Center, as well as on various distributions of sensor nodes that could occur in other sensor networks, and were able to determine the set of monitored addresses within a few days with limited resources
  • Our current mapping algorithm is an adaptive probe response algorithm as each round depends on the output of the previous round
Results
  • The authors determined that a near optimal set of parameters for the OC6 attacker was a multiple source factor of two with a source based noise cancellation factor of four and a report noise cancellation factor of eight.
  • This balances the number of packets required by the multiple source technique with the number required by the report noise cancellation factor, and allows for 25 percent more ports to be used for the OC6 attack than were used for the T3 attack
Conclusion
  • In this paper the authors developed a general attack technique called probe response, which is capable of determining the location of Internet sensors that publicly display statistics.
  • On-going and future work includes developing and evaluating a nonadaptive approach for efficiently mapping Internet sensor networks that infrequently provide data sets or delay reports.
  • Such networks include the University of Michigan Internet Motion Sensor [19, 20], CAIDA [2], and iSink [10].
  • Another issue to be investigated in future work is the effectiveness of proposed countermeasures
Tables
  • Table1: Example packet filter log that might be submitted to the ISC
  • Table2: Example excerpt from an ISC port report
  • Table3: Ports with low, as shown by Table 3. Each little activity
  • Table4: Time to map sensor locations. (ISC sensor distribution)
  • Table5: Essential mapping results
Download tables as Excel
Related work
  • Guidelines for the design of a Cyber Center for Disease Control, a sophisticated Internet sensor network and analysis center, have been previously proposed [29]. Staniford et al mention that the set of sensors must be either widespread or secret in order to prevent attackers from avoiding them entirely. They assess the openness with which a Cyber CDC should operate and conclude that such such a system should only make subsets of information publicly available. Their contribution includes a qualitative analysis of trade-offs but not a quantitative analysis of the nature of the threat. In this paper, we develop an algorithm that serves to delineate the precise factors that need to be considered when designing Internet analysis centers for security and privacy. In addition, we investigate how quickly the algorithm can determine sensor identities through a case study on the Internet Storm Center, as well as for more general locations of the sensor nodes. Lincoln et al [30] prototype a privacy preserving system with live sensors and analyze the system’s performance, but do not analyze mapping attacks or defenses. Gross et al [25] describe a system which uses Bloom filters to preserve the privacy of the sensors. In Section 7.1 we describe how probe response techniques could efficiently subvert Bloom filters.
Funding
  • This work was supported in part by the U.S Army Research Laboratory and the U.S Army Research Office under grant number #DAAD19-01-1-0502
Reference
  • The SANS Internet Storm Center, http://isc.sans.org.
    Findings
  • CAIDA, the Cooperative Association for Internet Data Analysis, http://www.caida.org.
    Findings
  • Computer Emergency Response Team. AirCERT. http://www.cert.org/kb/aircert/, 2003.
    Findings
  • C. Zou, L. Gao, W. Gong, and D. Towsley. Monitoring and Early Warning for Internet Worms. Proceedings of CCS’03, October 2003.
    Google ScholarLocate open access versionFindings
  • The National Strategy to Secure Cyberspace, http://www.securecyberspace.gov.
    Findings
  • V. Yegneswaran, P. Barford, and S. Jha. Global Intrusion Detection in the DOMINO Overlay System. Proceedings of the 2004 Network and Distributed System Security Symposium (NDSS 2004), February 2004.
    Google ScholarLocate open access versionFindings
  • M. Locasto, J. Parekh, S. Stolfo, A. Keromytis, T. Malkin, and V. Misra. Collaborative Distributed Intrusion Detection. Tech Report CUCS-012-04, Department of Computer Science, Columbia University, 2004.
    Google ScholarFindings
  • N. Provos. Honeyd - a virtual honeypot daemon. Proceedings of the 10th DFN-CERT Workshop, February 2003.
    Google ScholarLocate open access versionFindings
  • L. Spitzner. Know Your Enemy: Honeynets. Honeynet Project, http://project.honeynet.org/papers/honeynet.
    Findings
  • V. Yegneswaran, P. Barford, and D. Plonka. On the Design and Utility of Internet Sinks for Network Abuse Monitoring. Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), September 2003.
    Google ScholarLocate open access versionFindings
  • D. Moore. Network Telescopes: Observing Small or Distant Security Events. Invited Presentation at the 11th USENIX Security Symposium (SEC 02), August 2002.
    Google ScholarLocate open access versionFindings
  • V. Yegneswaran, P. Barford, and J. Ullrich. Internet Intrusions: Global Characteristics and Prevalence. Proceedings of ACM SIGMETRICS, June 2003.
    Google ScholarLocate open access versionFindings
  • R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson. Characteristics of Internet Background Radiation, Proceedings of ACM SIGCOMM/USENIX Internet Measurement Conference, October 2004.
    Google ScholarLocate open access versionFindings
  • H. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. USENIX Security Symposium, 2004.
    Google ScholarFindings
  • C. Kreibich and J. Crowcroft. Honeycomb — Creating Intrusion Detection Signatures Using Honeypots. Proceedings of the IEEE Symposium on Security and Privacy, May 2004.
    Google ScholarLocate open access versionFindings
  • S. Singh, C. Estan, G. Varghese, and S. Savage. The EarlyBird System for Real-time Detection of Unknown Worms. Technical Report CS2003-0761, UCSD, August 2003.
    Google ScholarFindings
  • Symantec DeepSight Threat Management System Technology Brief
    Google ScholarFindings
  • The myNetWatchman Project, http://www.mynetwatchman.com.
    Findings
  • The University of Michigan Motion Sensor, http://ims.eecs.umich.edu.
    Findings
  • M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson. The Internet Motion Sensor: A Distributed Blackhole Monitoring System. Proceedings of the 12th Annual Network and Distributed System Security Symposium, February 2005.
    Google ScholarLocate open access versionFindings
  • D. Moore, C. Shannon, and J. Brown. Code-Red: A Case Study on the spread and victims of an Internet worm. Proceedings of the 2nd ACM Internet Measurement Workshop, pages 273-284. ACM Press, November 2002.
    Google ScholarLocate open access versionFindings
  • D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, and N. Weaver. Inside the Slammer Worm. IEEE Security and Privacy, 1(4):33-29, July 2003.
    Google ScholarLocate open access versionFindings
  • D. Moore, G. Voelker, and S. Savage. Inferring Internet Denialof-Service Activity. Proceedings of USENIX Security Symposium, 2001.
    Google ScholarLocate open access versionFindings
  • B. Bloom. Space/Time Trade-Offs in Hash Coding With Allowable Errors. Communications of the ACM, 1970. 13(7): p. 422426.
    Google ScholarLocate open access versionFindings
  • P. Gross, J. Parekh, and G. Kaiser. Secure “Selecticast” for Collaborative Intrusion Detection Systems. Proceedings of the 3rd International Workshop on Distributed Event-Based Systems (DEBS’04), May 2004.
    Google ScholarLocate open access versionFindings
  • A. Slagell, J. Wang, and W. Yurcik. Network Log Anonymization: Application of Crypto-PAn to Cisco Netflows. Proceedings of the Workshop on Secure Knowledge Management 2004, September 2004.
    Google ScholarLocate open access versionFindings
  • G. Minshall. TCPdpriv: Program for Eliminating Confidential Information from Traces. Ipsilon Networks, Inc. http://ita.ee.lbl.gov/html/contrib/tcpdpriv.html
    Locate open access versionFindings
  • J. Xu, J. Fan, M. Ammar, and S. Moon. Prefix-Preserving IP Address Anonymization: Measurement-based Security Evaluation and a New Cryptography-based Scheme. Proceedings of the 10th IEEE International Conference on Network Protocols (ICNP’02), November 2002.
    Google ScholarLocate open access versionFindings
  • S. Staniford, V. Paxson, and N. Weaver. How to 0wn the Internet in Your Spare Time. Proceedings of the 11th USENIX Security Symposium, 2002.
    Google ScholarLocate open access versionFindings
  • P. Lincoln, P. Porras, and V. Shmatikov. Privacy-Preserving Sharing and Correlation of Security Alerts. Proceedings of the 13th USENIX Security Symposium, 2004.
    Google ScholarLocate open access versionFindings
  • A. Slagell and W. Yurcik. Sharing Computer Network Logs for Security and Privacy: A Motivation for New Methodologies of Anonymization. ACM Computing Research Repository (CoRR) Technical Report 0409005, September 2004.
    Google ScholarFindings
  • R. Pang and V. Paxson. A High-level Programming Environment for Packet Trace Anonymization and Transformation. Proceedings of SIGCOMM 2003, August 2003.
    Google ScholarLocate open access versionFindings
  • K. Carr and D. Duffy. Taking the Internet by storm. CSOonline.com, April 2003.
    Google ScholarFindings
  • The DShield Project, http://www.dshield.org.
    Findings
  • D.Z. Du, F. Hwang. Combinatorial Group Testing and Its Applications, World Scientific, Singapore, 2000.
    Google ScholarFindings
  • The Cymru Project Bogon List, http://www.cymru.com/Bogons/.
    Findings
  • Symantec Internet Security Threat Report, Volume VI, September 2004.
    Google ScholarFindings
  • B. Lampson. A Note on the Confinement Problem. Communications of the ACM 16, 10 (Oct. 1973), p. 613-615.
    Google ScholarLocate open access versionFindings
  • L. von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using Hard AI Problems for Security. EUROCRPYT 2003.
    Google ScholarFindings
  • T. Chown. IPv6 Implications for TCP/UDP Port Scanning. IETF Internet Work In Progress Draft, July 2004.
    Google ScholarLocate open access versionFindings
Your rating :
0

 

Tags
Comments
数据免责声明
页面数据均来自互联网公开来源、合作出版商和通过AI技术自动分析结果,我们不对页面数据的有效性、准确性、正确性、可靠性、完整性和及时性做出任何承诺和保证。若有疑问,可以通过电子邮件方式联系我们:report@aminer.cn
小科