Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf's law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual "IP telescopes"; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrusion detection framework that would identify and isolate intrusions with greater precision and robustness than systems with limited perspective.
[1]
Azer Bestavros,et al.
On the marginal utility of network topology measurements
,
2001,
IMW '01.
[2]
Yougu Yuan,et al.
Global Routing Instabilities Triggered by Code Red II and Nimda Worm Attacks
,
2001
.
[3]
R.K. Cunningham,et al.
Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation
,
2000,
Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.
[4]
George Kingsley Zipf,et al.
Human behavior and the principle of least effort
,
1949
.
[5]
Vern Paxson,et al.
How to Own the Internet in Your Spare Time
,
2002,
USENIX Security Symposium.
[6]
Andrea Kirkby.
Honeynet Phase Two: Knowing Your Enemy More
,
2001
.
[7]
Vern Paxson,et al.
Bro: a system for detecting network intruders in real-time
,
1998,
Comput. Networks.
[8]
Alex C. Snoeren,et al.
Hash-based IP traceback
,
2001,
SIGCOMM '01.
[9]
Anna R. Karlin,et al.
Practical network support for IP traceback
,
2000,
SIGCOMM.
[10]
Stuart Staniford-Chen,et al.
Practical Automated Detection of Stealthy Portscans
,
2002,
J. Comput. Secur..
[11]
R. Gray.
Entropy and Information Theory
,
1990,
Springer New York.
[12]
Yin Zhang,et al.
Detecting Stepping Stones
,
2000,
USENIX Security Symposium.
[13]
Michalis Faloutsos,et al.
On power-law relationships of the Internet topology
,
1999,
SIGCOMM '99.
[14]
Frédéric Cuppens,et al.
Alert correlation in a cooperative intrusion detection framework
,
2002,
Proceedings 2002 IEEE Symposium on Security and Privacy.