article

Internet intrusions: global characteristics and prevalence

Authors:

Vinod Yegneswaran,

Johannes UllrichAuthors Info & Claims

ACM SIGMETRICS Performance Evaluation Review, Volume 31, Issue 1

Pages 138 - 147

https://doi.org/10.1145/885651.781045

Published: 10 June 2003 Publication History

Abstract

Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address this problem by systematically analyzing a set of firewall logs collected over four months from over 1600 different networks world wide. The first part of our study is a general analysis focused on the issues of distribution, categorization and prevalence of intrusions. Our data shows both a large quantity and wide variety of intrusion attempts on a daily basis. We also find that worms like CodeRed, Nimda and SQL Snake persist long after their original release. By projecting intrusion activity as seen in our data sets to the entire Internet we determine that there are typically on the order of 25B intrusion attempts per day and that there is an increasing trend over our measurement period. We further find that sources of intrusions are uniformly spread across the Autonomous System space. However, deeper investigation reveals that a very small collection of sources are responsible for a significant fraction of intrusion attempts in any given month and their on/off patterns exhibit cliques of correlated behavior. We show that the distribution of source IP addresses of the non-worm intrusions as a function of the number of attempts follows Zipf's law. We also find that at daily timescales, intrusion targets often depict significant spatial trends that blur patterns observed from individual "IP telescopes"; this underscores the necessity for a more global approach to intrusion detection. Finally, we investigate the benefits of shared information, and the potential for using this as a foundation for an automated, global intrusion detection framework that would identify and isolate intrusions with greater precision and robustness than systems with limited perspective.

References

[1]

George Bakos. SQLsnake code analysis. http://www.incidents.org/diary/diary.php? -- id = 157, 2002.

[2]

Paul Barford, Azer Bestavros, John Byers, and Mark Crovella. On the marginal utility of network topology measurements. In Proceedings of ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA, November 2001.

Digital Library

[3]

CAIDA. CodeRed Worms a Global Threat. http://www.caida.org/analysis/security/code -- red/, 2001.

[4]

CERT Coordination Center. http://www.cert.org, 2001.

[5]

James Cowie, Andy T. Ogielski, B. J. Premore, and Yougu Yuan. Global Routing Instabilities Triggered by CodeRed II and Nimda Worm Attacks. http://www.renesys.com/projects/bgp_instability, 2001.

[6]

Frederic Cuppens and Alexandre Miege. Alert correlation in a cooperative intrusion detection framework. In Proceedings of IEEE Symposium on Security and Privacy, 2002.

Digital Library

[7]

Kevin Van Dixon. Spoof bounce. http://rr.sans.org/intrusion/spoof.php, 2001.

[8]

Michalis Faloutsos, Petros Faloutsos, and Christos Faloutsos. On power-law relationships of the internet topology. In Proceedings of ACM SIGCOMM, 1999.

Digital Library

[9]

Robert Gray. Entrophy and Information Theory. Springer-Verlag, 1990.

Digital Library

[10]

HoneyNet Project. Know Your Enemy: Honeynets. http://project.honeynet.org, 2001.

[11]

Brad Huffaker, Andre Broido, Kim Claffy, Marina Fomenkov, Sean McCreary, David Moore, and Oliver Jakubiec. Visualizing internet topology at a macrosocopic scale. http://www.caida.org/--analysis/topology/as_core_network/about.xml/, 2001.

[12]

Eeye Security Inc. Microsoft IIS Buffer Overflow Advisory. http://www.eeye.com/html/--Research/Advisories/AD20010618.html, 2001.

[13]

Richard Lippmann, David J. Fried, Isaac Graf, Joshua W. Haines, Kristopher R. Kendall, David McClung, Dan Weber, Seth E. Webster, Dan Wyschogrod, Robert K. Cunningham, and Marc A. Zissman. Evaluating Intrusion Detection systems: 1998 DARPA Off-line Intrusion Detection Evaluation. In Proceedings of IEEE Security Symposium, 1998.

[14]

McAfee. Virus alert. http://vil.nai.com/vil/content/v_9949.htm, 2002.

[15]

David Meyer. University of Oregon Route Views Project. http://antc.uoregon.edu/route--views/, 2002.

[16]

David Moore. Network Telescopes: Observing Small or Distant Security Events. http://www.caida.org/--outreach/presentations/2002/usenix_sec/, 2002.

[17]

David Moore, Goeffrey Voelker, and Stefan Savage. Inferring Internet Denial-of-Service Activity. In Proceedings of the 10th USENIX Security Symposium, 2001.

Digital Library

[18]

Vern Paxson. BRO: A System for Detecting Network Intruders in Real Time. In Proceedings of the 7th USENIX Security Symposium, 1998.

Digital Library

[19]

Marty Roesch. The SNORT Network Intrusion Detection System. http://www.snort.org, 2002.

[20]

Stefan Savage, David Wetherall, Anna Karlin, and Tom Anderson. Practical Network Support for IP Traceback. In Proceedings of ACM SIGCOMM, 2000.

Digital Library

[21]

Alex Snoeren, Craig Partridge, Luis Sanchez, Christine Jones, Fabrice Tchakountio, and Stephen Kent. Hash Based IP Traceback. In Proceedings of ACM SIGCOMM, 2001.

Digital Library

[22]

Stuart Staniford, James Hoagland, and Joseph McAlerney. Practical Automated Detection of Stealthy Portscans. In Journal of Computer Security, 2002.

Digital Library

[23]

Stuart Staniford, Vern Paxson, and Nicholas Weaver. How to Own the Internet in Your Spare Time. In Proceedings of the 11th USENIX Security Symposium, 2002.

Digital Library

[24]

Johannes Ullrich. DSHIELD. http://www.dshield.org, 2000.

[25]

Johannes Ullrich. MSSQL worm (sqlsnake) on the rise. http://www.incidents.org/diary/diary.php?--id = 156, 2002.

[26]

Yin Zhang and Vern Paxson. Detecting Stepping Stones. In Proceedings of the 9th USENIX Security Symposium, 2000.

Digital Library

[27]

G. Zipf. Human Behavior and the Principle of Least-Effort. Addison-Wesley, Cambridge, MA, 1949.

Cited By

Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
KUO CTSENG DTSAI CYANG C(2021)An Effective Feature Extraction Mechanism for Intrusion Detection SystemIEICE Transactions on Information and Systems10.1587/transinf.2021NGP0007E104.D:11(1814-1827)Online publication date: 1-Nov-2021
https://doi.org/10.1587/transinf.2021NGP0007
Tanaka AHan CTakahashi TFujisawa K(2021)Internet-Wide Scanner Fingerprint Identifier Based on TCP/IP Header2021 Sixth International Conference on Fog and Mobile Edge Computing (FMEC)10.1109/FMEC54266.2021.9732414(1-6)Online publication date: 6-Dec-2021
https://doi.org/10.1109/FMEC54266.2021.9732414
Show More Cited By

Index Terms

Internet intrusions: global characteristics and prevalence

Recommendations

Internet intrusions: global characteristics and prevalence
SIGMETRICS '03: Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems

Network intrusions have been a fact of life in the Internet for many years. However, as is the case with many other types of Internet-wide phenomena, gaining insight into the global characteristics of intrusions is challenging. In this paper we address ...
Game theoretic models for detecting network intrusions

In this paper, we study using game theory the problem of detecting intrusions in wired infrastructure networks. Detection is accomplished by sampling a subset of the transmitted packets over selected network links or router interfaces. Given a total ...
Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment

Internet is providing essential communication between an infinite number of people and is being increasingly used as a tool for commerce. At the same time, security is becoming a tremendously important issue to deal with. Different network security ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM SIGMETRICS Performance Evaluation Review

ACM SIGMETRICS Performance Evaluation Review Volume 31, Issue 1

June 2003

325 pages

ISSN:0163-5999

DOI:10.1145/885651

Issue’s Table of Contents

SIGMETRICS '03: Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
June 2003
338 pages
ISBN:1581136641
DOI:10.1145/781027
General Chairs:
Bill Cheng
TeleGIF
,
Satish Tripathi
University of California at Riverside
,
Program Chairs:
Jennifer Rexford
AT&T Labs -- Research, Florham Park, NJ
,
William H. Sanders
University of Illinois at Urbana-Champaign

Copyright © 2003 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 10 June 2003

Published in SIGMETRICS Volume 31, Issue 1

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

139
Total Citations
View Citations
2,553
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)4

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Griffioen HKoursiounis GSmaragdakis GDoerr CVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Have you SYN me? Characterizing Ten Years of Internet ScanningProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688409(149-164)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688409
KUO CTSENG DTSAI CYANG C(2021)An Effective Feature Extraction Mechanism for Intrusion Detection SystemIEICE Transactions on Information and Systems10.1587/transinf.2021NGP0007E104.D:11(1814-1827)Online publication date: 1-Nov-2021
https://doi.org/10.1587/transinf.2021NGP0007
Tanaka AHan CTakahashi TFujisawa K(2021)Internet-Wide Scanner Fingerprint Identifier Based on TCP/IP Header2021 Sixth International Conference on Fog and Mobile Edge Computing (FMEC)10.1109/FMEC54266.2021.9732414(1-6)Online publication date: 6-Dec-2021
https://doi.org/10.1109/FMEC54266.2021.9732414
Yamashita TMiyamoto DSekiya YNakamura H(2020)Slow Scan Attack Detection Based on Communication BehaviorProceedings of the 2020 10th International Conference on Communication and Network Security10.1145/3442520.3442525(14-20)Online publication date: 27-Nov-2020
https://dl.acm.org/doi/10.1145/3442520.3442525
Griffioen HDoerr C(2020)Discovering Collaboration: Unveiling Slow, Distributed Scanners based on Common Header Field PatternsNOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium10.1109/NOMS47738.2020.9110444(1-9)Online publication date: 20-Apr-2020
https://dl.acm.org/doi/10.1109/NOMS47738.2020.9110444
Iglesias FZseby T(2019)Pattern Discovery in Internet Background RadiationIEEE Transactions on Big Data10.1109/TBDATA.2017.27238935:4(467-480)Online publication date: 1-Dec-2019
https://doi.org/10.1109/TBDATA.2017.2723893
(2018)Coordinated scan detection algorithm based on the global characteristics of time sequenceInternational Journal of Computational Science and Engineering10.1504/IJCSE.2018.08957616:1(42-52)Online publication date: 1-Jan-2018
https://dl.acm.org/doi/10.1504/IJCSE.2018.089576
Heo HShin SKim JAhn GKim SKim YLopez JKim T(2018)Who is knocking on the Telnet PortProceedings of the 2018 on Asia Conference on Computer and Communications Security10.1145/3196494.3196537(625-636)Online publication date: 29-May-2018
https://dl.acm.org/doi/10.1145/3196494.3196537
Kuzuno HInagaki SMagata K(2018)Constructing a Complete Timeline of a Security Incident by Aggregating Reports2018 13th Asia Joint Conference on Information Security (AsiaJCIS)10.1109/AsiaJCIS.2018.00026(109-115)Online publication date: Aug-2018
https://doi.org/10.1109/AsiaJCIS.2018.00026
Debashi MVickers P(2018)Sonification of Network Traffic for Detecting and Learning About Botnet BehaviorIEEE Access10.1109/ACCESS.2018.28473496(33826-33839)Online publication date: 2018
https://doi.org/10.1109/ACCESS.2018.2847349
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents