Skip to main content
SpringerLink
Log in

Tracking Malicious Hosts on a 10Gbps Backbone Link

  • Conference paper
Information Security Technology for Applications (NordSec 2010)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7127))

Included in the following conference series:

Abstract

We use anonymized flow data collected from a 10Gbps backbone link to discover and analyze malicious flow patterns. Even though such data may be rather difficult to interpret, we show how to bootstrap our analysis with a set of malicious hosts to discover more obscure patterns. Our analysis spans from simple attribute aggregates (such as top IP and port numbers) to advanced temporal analysis of communication patterns between normal and malicious hosts. For example, we found some complex communication patterns that possibly lasted for over a week. Furthermore, several malicious hosts were active over the whole data collection period, despite being blacklisted. We also discuss the problems of working with anonymized data. Given that this type of privacy-sensitive backbone data would not be available for analysis without proper anonymization, we show that it can still offer many novel insights, valuable for both network researchers and practitioners.

This work is supported by the Swedish Civil Contingencies Agency (MSB) and SUNET. The research leading to these results has received funding from the European Union Seventh Framework Programme (FP7/2007-2013) under grant agreement no 257007.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Corrons, L.: Computer Threat Trend Forecast for 2010, http://pandalabs.pandasecurity.com/computer-threat-trend-forecast-for-2010/ (December 2009)

  2. Mueller III, R.S.: Major Executive Speeches, RSA Cyber Security Conference (2010), http://www.fbi.gov/pressrel/speeches/mueller030410.htm

  3. Symantec, AntiVirus, Anti-Spyware, Enpoint Security (2010), http://www.symantec.com

  4. McAfee, Antivirus, IPS, Firewall, Web Security (2010), http://www.mcafee.com

  5. The Honeynet Project, Honeynet Project Blog (2010), http://www.honeynet.org

  6. NoAH, European Network of Affined Honeypots (2010), http://www.fp6-noah.org

  7. DShield, Cooperative Network Security Community - Internet Security (2010), http://www.dshield.com

  8. SANS, Internet Storm Center (2010), http://isc.sans.edu

  9. John, W.: Characterization and Classification of Internet Backbone Traffic. Chalmers University of Technology, Doctoral Thesis (2010) ISBN 978-91-7385-363-7

    Google Scholar 

  10. Fan, J., Xu, J., Ammar, M., Moon, S.: Prefix-Preserving IP Address Anonymization: Measurement-Based Security Evaluation and a New Cryptography-Based Scheme. Computer Networks 46(2) (2004)

    Google Scholar 

  11. Moore, D., Keys, K., Koga, R., Lagache, E., Claffy, K.: The CoralReef Software Suite as a Tool for System and Network Administrators. In: USENIX LISA (2001)

    Google Scholar 

  12. OptoSUNET, Core Map, http://stats.sunet.se/stat-q/load-map/optosunet-core,,traffic,peak

  13. John, W., Tafvelin, S.: Differences between in- and outbound Internet Backbone Traffic. In: TERENA Networking Conference, TNC (2007)

    Google Scholar 

  14. DShield, Recommended block list (2010), http://www.dshield.org/block.txt

  15. SRI International Malware Threat Center, Most aggressive malware attack source and filters (2010), http://mtc.sri.com/live_data/attackers/

  16. SRI International Malware Threat Center, Most prolific botnet command and control servers and filters (2010), http://mtc.sri.com/live_data/cc_servers/

  17. John, W., Tafvelin, S.: Heuristics to Classify Internet Backbone Traffic based on Connection Patterns. In: Int. Conference on Information Networking, ICOIN (2008)

    Google Scholar 

  18. Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: The Spread of the Sapphire/Slammer Worm. CAIDA, Tech.Rep. (2003)

    Google Scholar 

  19. Friedl, S.: An Illustrated Guide to the Kaminsky DNS Vulnerability (2008), http://www.unixwiz.net/techtips/iguide-kaminsky-dns-vuln.html

  20. White, G.N.: What’s up with all the port scanning using TCP/6000 as a source port? (2010), http://isc.sans.edu/diary.html?storyid=7924

  21. Allman, M., Paxson, V., Terrell, J.: A Brief History of Scanning. In: Internet Measurement Conference, IMC (2007)

    Google Scholar 

  22. John, W., Tafvelin, S., Olovsson, T.: Trends and Differences in Connection-Behavior within Classes of Internet Backbone Traffic. In: Claypool, M., Uhlig, S. (eds.) PAM 2008. LNCS, vol. 4979, pp. 192–201. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  23. Moore, D., Shannon, C., Voelker, G., Savage, S.: Network Telescopes. CAIDA, Tech.Rep. (2004)

    Google Scholar 

  24. CAIDA, Research:Security (2010), http://www.caida.org/research/security/#PreviousMalware

  25. Pang, R., Yegneswaran, V., Barford, P., Paxson, V., Peterson, L.: Characteristics of Internet Background Radiation. In: Internet Measurement Conference, IMC (2004)

    Google Scholar 

  26. Bailey, M., Cooke, E., Jahanian, F., Nazario, J., Watson, D., et al.: The Internet Motion Sensor: A Distributed Blackhole Monitoring System. In: SNDSS (2005)

    Google Scholar 

  27. Sridharan, A., Ye, T., Bhattacharyya, S.: Connectionless Port Scan Detection on the Backbone. In: IPCCC (2006)

    Google Scholar 

  28. Lee, D., Brownlee, N.: Passive Measurement of One-way and Two-way Flow Lifetimes. ACM SIGCOMM Comp. Comm. Rev. 37(3) (2007)

    Google Scholar 

  29. Rehák, M., Staab, E., Fusenig, V., Pěchouček, M., Grill, M., Stiborek, J., Bartoš, K., Engel, T.: Runtime Monitoring and Dynamic Reconfiguration for Intrusion Detection Systems. In: Balzarotti, D. (ed.) RAID 2009. LNCS, vol. 5758, pp. 61–80. Springer, Heidelberg (2009)

    Google Scholar 

  30. Porras, P., Saidi, H., Yegneswaran, V.: An Analysis of Conficker’s Logic and Rendezvous Points. Computer Science Laboratory, SRI International, Tech.Rep. (2009)

    Google Scholar 

  31. Almgren, M., Jonsson, E.: Using Active Learning in Intrusion Detection. In: 17th IEEE Computer Security Foundations Workshop, CSFW 2004 (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Science and Engineering, Chalmers University of Technology, Sweden

    Magnus Almgren & Wolfgang John

Authors
  1. Magnus Almgren
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Wolfgang John
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. School of Science and Technology, Aalto University, Konemiehentie 2, 02150, Espoo, Finland

    Tuomas Aura

  2. Department of Information and Computer Science, Aalto University, Konemiehentie 2, 02150, Aalto, Finland

    Kimmo Järvinen  & Kaisa Nyberg  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2012 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Almgren, M., John, W. (2012). Tracking Malicious Hosts on a 10Gbps Backbone Link. In: Aura, T., Järvinen, K., Nyberg, K. (eds) Information Security Technology for Applications. NordSec 2010. Lecture Notes in Computer Science, vol 7127. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27937-9_8

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-27937-9_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-27936-2

  • Online ISBN: 978-3-642-27937-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation