Evaluating a Dynamic Internet Threat Monitoring Method for Preventing PN Code-Based Localization Attack

The Internet threat monitoring systems are developed to grasp malicious activities on the Internet. Those systems consist of a data center and sensors deployed on the Internet. Sensors capture malicious packets and report to the data center. The data center investigates the latest trend of attacks by analyzing those packets and the result is open to the public. To publish precise monitored results, sensors are deployed in secret and hidden from outside. On the other hand, attackers intend to detect sensors for evading them. This attack is known as localization attacks to Internet threat monitoring systems. Recent localization attacks adopting PN code is sophisticated and effective countermeasure is not developed yet. Therefore, we propose a dynamic Internet threat monitoring method. This method switches sensors whose monitored results that reflect to published results in a data center as a countermeasure for PN code-based localization attack. We evaluated our method from the aspect of tolerance to the attack by applying raw captured packets provided by nicter. Meanwhile, the existing systems always publish monitored results reported by whole sensors. Therefore, the information that our method provides would decrease compared to that of the existing systems. However, we show that the decrease of information is sufficiently small.

[1]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[2]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[3]  Toyoo Takata,et al.  A practical study on noise-tolerant PN code-based localisation attacks to internet threat monitors , 2013, Int. J. Space Based Situated Comput..

[4]  Shinoda Yoichi,et al.  The Statistical Protection for Internet Threat Monitors , 2005 .

[5]  Xun Wang,et al.  An Invisible Localization Attack to Internet Threat Monitors , 2009, IEEE Transactions on Parallel and Distributed Systems.

[6]  L. Jean Camp,et al.  A Risk Based Approach to Limit the Effects of Covert Channels for Internet Sensor Data Aggregators for Sensor Privacy , 2009, IFIPTM.

[7]  Koji Nakao,et al.  nicter: a large-scale network incident analysis system: case studies for understanding threat landscape , 2011, BADGERS '11.

[8]  Yoshioka Katsunari,et al.  NONSTOP: Secure Remote Analysis Platform for Cybersecurity Information , 2013 .

[9]  Vinod Yegneswaran,et al.  Honeynet games: a game theoretic approach to defending network monitors , 2011, J. Comb. Optim..

[10]  Riccardo Bettati,et al.  Localization Attacks to Internet Threat Monitors: Modeling and Countermeasures , 2010, IEEE Transactions on Computers.

[11]  A. Rama Mohan Reddy,et al.  Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots , 2012, ArXiv.

[12]  Jiang Wu,et al.  Effective worm detection for various scan techniques , 2006, J. Comput. Secur..