A practical study on noise-tolerant PN code-based localisation attacks to internet threat monitors

Internet threat monitoring systems are studied and developed to comprehend the malicious activities on the internet. On the other hand, it is known that attackers devise a technique that locates the deployment of sensors that constitute the monitoring system. This technique is called as localisation attacks to internet threat monitors. If attackers can detect sensors, they can evade them when they initiate the malicious activities. The latest method can detect sensors with low probing traffic volume compared with the previous one because it adopts pseudo noise (PN) code-based scheme inspired from the spread spectrum technology. However, when other monitoring packets interfere as a strong noise, the detection accuracy of the method decreases. For this reason, we need to make elaborate preparations under the assumption that attackers improve the PN code-based method to boost resistance to a strong noise by exploiting multiple ports, rather than by a single port for detecting a sensor. Therefore, we devised the noise-tolerant PN code-based localisation attack from a standpoint of attackers for the security research. Performance evaluation was conducted based on the real internet monitoring dataset obtained in different periods of time. In this paper, we show the detection accuracy and the stealthiness of our devised method compared with the existing one.

[1]  Zhuoqing Morley Mao,et al.  Characterizing Dark DNS Behavior , 2007, DIMVA.

[2]  Xun Wang,et al.  An Invisible Localization Attack to Internet Threat Monitors , 2009, IEEE Transactions on Parallel and Distributed Systems.

[3]  A. Rama Mohan Reddy,et al.  IP Traceback for Flooding attacks on Internet Threat Monitors (ITM) Using Honeypots , 2012, ArXiv.

[4]  Yoichi Shinoda,et al.  Vulnerabilities of Passive Internet Threat Monitors , 2005, USENIX Security Symposium.

[5]  L. Jean Camp,et al.  A Risk Based Approach to Limit the Effects of Covert Channels for Internet Sensor Data Aggregators for Sensor Privacy , 2009, IFIPTM.

[6]  Koji Nakao,et al.  nicter: a large-scale network incident analysis system: case studies for understanding threat landscape , 2011, BADGERS '11.

[7]  Riccardo Bettati,et al.  Localization Attacks to Internet Threat Monitors: Modeling and Countermeasures , 2010, IEEE Transactions on Computers.

[8]  Vinod Yegneswaran,et al.  Honeynet games: a game theoretic approach to defending network monitors , 2011, J. Comb. Optim..

[9]  F. E. Grubbs Procedures for Detecting Outlying Observations in Samples , 1969 .

[10]  A. Rama Mohan Reddy,et al.  Flooding attacks to internet threat monitors (ITM): Modeling and counter measures using botnet and honeypots , 2012, ArXiv.

[11]  Mary K. Vernon,et al.  Mapping Internet Sensors with Probe Response Attacks , 2005, USENIX Security Symposium.

[12]  Jiang Wu,et al.  Effective worm detection for various scan techniques , 2006, J. Comput. Secur..

[13]  Shinoda Yoichi,et al.  The Statistical Protection for Internet Threat Monitors , 2005 .