Skip to main content
SpringerLink
Log in

The Contact Surface: A Technique for Exploring Internet Scale Emergent Behaviors

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2008)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 5137))

Abstract

Large scale internet data analysis often concentrates on statistical measures for volume properties or is focused on the epidemiology of specific malcodes. We have developed a high level abstraction that we call the contact surface that allows us to visualize internet scale connection behaviours across the border of a monitored network. The contact surface is a time series of contact lines, each line plotting the number of outside sources that contact a specific number of inside hosts in a given time interval (typically an hour). In general, the lines follow a power law in the mid range with distinct outliers at the one destination per source and the hundreds to thousands of destinations per source ends. During some periods, however, the lines are perturbed with what appears to be a persistent bump or waterfall. We have studied two such episodes, one that persisted from at least January 2003 until August 2003 and another that appeared on February 11, 2004 and lasted until May 31, 2004. The exact cause of the former is unknown, however the later appears to have been caused by the Welchia.B worm. Similar activities are currently being reported by other observers. We hypothesize that the cause of the perturbation is low frequency periodic scanning by a small population of hosts scanning at the same rate. We have created simulations to explore the range of activities that might be observable and find reasonable agreement with the observed phenomena.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Gates, C., Collins, M., Duggan, M., Kompanek, A., Thomas, M.: More NetFlow tools: For performance and security. In: Proceedings of the 18th Large Installation Systems Administration Conference (LISA 2004), Atlanta, Georgia, USA, pp. 121–132 (November 2004)

    Google Scholar 

  2. Faloutsos, M., Faloutsos, P., Faloutsos, C.: On power-law relationships of the internet topology. In: Proceedings of the 1999 ACM SIGCOMM Conference, Cambridge, MA, USA, August 31 - September 3, pp. 251–262 (1999)

    Google Scholar 

  3. McHugh, J., Gates, C.: Locality: A new paradigm for thinking about normal behavior and outsider threat. In: Proceedings of the 2003 New Security Paradigms Workshop, Ascona, Switzerland, pp. 3–10 (August 2003)

    Google Scholar 

  4. McHugh, J., Gates, C., Becknel, D.: Situational awareness and network traffic analysis. In: Proceedings of the Gdansk NATO Workshop on Cyberspace Security and Defence: Research Issues, Gdansk, Poland, pp. 209–228 (September 2004)

    Google Scholar 

  5. Paxson, V., Floyd, S.: Wide area traffic: The failure of Poisson modeling. IEEE/ACM Transactions on Networking 3(3), 226–244 (1995)

    Article  Google Scholar 

  6. Feldmann, A., Gilbert, A., Willinger, W.: Data networks as cascades: investigating the multifractal nature of internet wan traffic. In: Proceedings of the ACM SIGCOMM 1998 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Vancouver, British Columbia, Canada, pp. 42–55 (1998)

    Google Scholar 

  7. Chen, Y.W.: Traffic behavior analysis and modeling of sub-networks. International Journal of Network Management 12(5), 323–330 (2002)

    Article  Google Scholar 

  8. Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, Marseille, France, pp. 71–82 (2002)

    Google Scholar 

  9. Lee, I., Fapojuwo, A.: Statistical methods for computer network traffic analysis. IEE Proceedings Communications 153(6), 939–948 (2006)

    Article  Google Scholar 

  10. Epsilon, R., Ke, J., Williamson, C.: Analysis of ISP IP/ATM network traffic measurements. ACM SIGMETRICS Performance Evaluation Review 27(2), 15–24 (1999)

    Article  Google Scholar 

  11. Sarvotham, S., Riedi, R., Baraniuk, R.: Connection-level analysis and modeling of network traffic. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, San Francisco, CA, USA, pp. 99–103 (2001)

    Google Scholar 

  12. Lakhina, A., Papagiannake, K., Crovella, M., Diot, C., Kolaczyk, E., Taft, N.: Structural analysis of network traffic flows. In: Proceedings of the 2004 Joint International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS/Performance), New York, NY, USA, June 12-16, pp. 61–72 (2004)

    Google Scholar 

  13. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: Proceedings of the ACM SIGCOMM 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, PA, USA, pp. 217–228 (2005)

    Google Scholar 

  14. Düberdorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone. In: Proceedings of the 2005 Conference on Detection of Intrusions and Malware and Vulnerability Assessment, Vienna, Austria, pp. 103–122 (2005)

    Google Scholar 

  15. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: Multilevel traffic classification in the dark. In: Proceedings of the ACM SIGCOMM 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, PA, USA, pp. 229–240 (2005)

    Google Scholar 

  16. van Riel, J.P., Irwin, B.: Inetvis, a visual tool for network telescope traffic analysis. In: Proceedings of the 4th International Conference on Computer Graphics, Virtual Reality, Visualization and Interaction In Africa, Cape Town, South Africa, pp. 85–89 (2006)

    Google Scholar 

  17. Lakkaraju, K., Yurcik, W., Lee, A.J.: NVisionIP: NetFlow visualizations of system state for security situational awareness. In: Proceedings of 2004 CCS Workshop on Visualization and Data Mining for Computer Security, Washington, DC, USA, pp. 65–72 (October 2004)

    Google Scholar 

  18. Goodall, J., Lutters, W., Rheingans, P., Komlodi, A.: Preserving the big picture: visual network traffic analysis with tnv. In: Proceedings of the 2005 IEEE Workshop on Visualization for Computer Security, Minneapolis, MN, USA, pp. 47–54 (October 2005)

    Google Scholar 

  19. Oberheide, J., Goff, M., Karir, M.: Flamingo: Visualizing internet traffic. In: Proceedings of the 10th IEEE/IFIP Network Operations and Management Symposium, Vancouver, BC, Canada, pp. 150–161 (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CA Labs,  , Islandia, NY, USA

    Carrie Gates

  2. Dalhousie University, Halifax, NS, Canada

    John McHugh

Authors
  1. Carrie Gates
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. John McHugh
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Diego Zamboni

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Gates, C., McHugh, J. (2008). The Contact Surface: A Technique for Exploring Internet Scale Emergent Behaviors. In: Zamboni, D. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2008. Lecture Notes in Computer Science, vol 5137. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-70542-0_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-70542-0_12

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-70541-3

  • Online ISBN: 978-3-540-70542-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation