On the Design and Use of Internet Sinks for Network Abuse Monitoring

Yegneswaran, Vinod; Barford, Paul; Plonka, David

doi:10.1007/978-3-540-30143-1_8

Cited by 125 publications

(79 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We use IP-aliasing to emulate source and destination IP addresses from 32 different class C subnets (16 subnets for client IP addresses and 16 subnets for server IP addresses). We used the iSink system's active response capability to send response packets to malicious MACE traffic [19]. This enables bidirectional communication required to accurately recreate certain exploits.…”

Section: A Setup and Configurationmentioning

confidence: 99%

Improving NIDS Performance Through Hardware-based Connection Filtering

Garg

Yegneswaran

Barford

2006

2006 IEEE International Conference on Communications

Self Cite

View full text Add to dashboard Cite

Abstract-Traffic volume and diversity can have a significant impact on the ability of network intrusion detection systems (NIDS) to report malicious activity accurately. Based on the observation that a great deal of traffic is, in fact, not important to accurate attack identification, we investigate connection filtering as a method for improving the performance of NIDS. We describe three different classes of connection filters that were developed to explore the design space and trade off's in load reduction versus alarm rates. We implement instances of each filter class on a network processor that can be used with any NIDS that runs on commodity hardware, and evaluate the impact of each filter in a series of laboratory-based tests. First, we establish an idealized maximum performance by using static connection filters for all benign traffic. Next, we show that volume sensitive random connection filters can improve performance significantly with respect to alarm rates under heavy traffic load. Finally, we show that dynamic connection filters that attempt to infer benign traffic can improve performance almost to the level of idealized static filters. These results underscore the potential for hardware-based connection filtering as an effective means for improving the performance of NIDS.

show abstract

Section: A Setup and Configurationmentioning

confidence: 99%

Improving NIDS Performance Through Hardware-based Connection Filtering

Garg

Yegneswaran

Barford

2006

2006 IEEE International Conference on Communications

Self Cite

View full text Add to dashboard Cite

show abstract

“…There have been many real-world developments and deployments of ITM systems. Examples include DOMINO (Distributed Overlay for Monitoring InterNet Outbreaks) [8], SANs ISC (Internet Storm Center) [6], Internet Sink [9], Network Telescope [10], CAIDA [11], MyNetWatchMan [12], and Honeynet [13], [14].…”

Section: Introductionmentioning

confidence: 99%

“…If the locations of monitors are identified, the attacker can deliberately avoid these monitors and directly attack the uncovered IP address space. It is a known fact that the number of sub-networks covered by monitors is much smaller than the total number of subnetworks in the Internet [6], [9], [10]. In other words, the IP address space covered by monitors represents a very small portion of the entire IP address space [6].…”

Section: Introductionmentioning

confidence: 99%

An Invisible Localization Attack to Internet Threat Monitors

Wang

et al. 2009

IEEE Trans. Parallel Distrib. Syst.

View full text Add to dashboard Cite

Abstract-Internet threat monitoring (ITM) systems have been deployed to detect widespread attacks on the Internet in recent years. However, the effectiveness of ITM systems critically depends on the confidentiality of the location of their monitors. If adversaries learn the monitor locations of an ITM system, they can bypass the monitors and focus on the uncovered IP address space without being detected. In this paper, we study a new class of attacks, the invisible LOCalization (iLOC) attack. The iLOC attack can accurately and invisibly localize monitors of ITM systems. In the iLOC attack, the attacker launches lowrate port-scan traffic, encoded with a selected pseudo-noise code (PN-code), to targeted networks. While the secret PN-code is invisible to others, the attacker can accurately determine the existence of monitors in the targeted networks based on whether the PN-code is embedded in the report data queried from the data center of the ITM system. We formally analyze the impact of various parameters on attack effectiveness. We implement the iLOC attack and conduct the performance evaluation on a real-world ITM system to demonstrate the possibility of such attacks. We also conduct extensive simulations on the iLOC attack using real-world traces. Our data show that the iLOC attack can accurately identify monitors while being invisible to ITM systems. Finally, we present a set of guidelines to counteract the iLOC attack.

show abstract

“…On one hand, the source-based filtering mechanisms are effective at reducing large repeated traffic rates into small number of manageable events. iSinks [24] uses a filtering strategy consisting of analyzing the connections established with the first N destination IPs per every source IP. In subsequent work [25], the authors have improved the filtering mechanisms taking into account, for example, the source payload, source port, source destination and source connection.…”

Section: Traffic Classification and Filtering Mechanismsmentioning

confidence: 99%

“…sensors, redirectors, etc. ), such as network telescopes [19], darknet [20], blackholes [21], IMS [27], and iSinks [24], or software artifice assigned with a portion of routed IP address space. Instead of deploying a large number of HIHs across multiple networks, they can be centrally deployed in a consolidated location.…”

Section: Hih Mih Lihmentioning

confidence: 99%

Contribution to the Design of a Flexible and Adaptive Solution for the Management of Heterogeneous Honeypot Systems

Fan¹

View full text Add to dashboard Cite

On the Design and Use of Internet Sinks for Network Abuse Monitoring

Cited by 125 publications

References 16 publications

Improving NIDS Performance Through Hardware-based Connection Filtering

Improving NIDS Performance Through Hardware-based Connection Filtering

An Invisible Localization Attack to Internet Threat Monitors

Contribution to the Design of a Flexible and Adaptive Solution for the Management of Heterogeneous Honeypot Systems

Contact Info

Product

Resources

About