Abstract
Tracing down anonymous slow attackers creates number of challenges in network security. Simply analysing all traffic is not feasible. By aggregating information of large volume of events, it is possible to build a clear set of benchmarks of what should be considered as normal over extended period of time and hence to identify anomalies. This paper provides an anomaly based method for tracing down sources of slow suspicious activities in Cyber space. We present the theoretical account of our approach and experimental results.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Baseline Security Requirements for Network Security Zones in the Government of Canada (June 2007), http://www.cse-cst.gc.ca/its-sti/publications/itsg-csti/itsg22-eng.html#a42
Defend your network from slow scanning (March 2013), http://www.techrepublic.com/blog/security/defend-your-network-from-slow-scanning/361
Slowloris http dos (March 2013), http://ha.ckers.org/slowloris/
John, A., Sivakumar, T.: DDoS: Survey of Traceback Methods. International Journal of Recent Trends in Engineering 1(2) (May 2009)
Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Schwartz, B., Kent, S.T., Strayer, W.T.: Single-packet ip traceback. IEEE/ACM Trans. Netw. (2002)
Argus: Argus, the network audit record generation and utilization system (December 2012), http://www.qosient.com/argus/
Bradford, P.G., Brown, M., Self, B., Perdue, J.: Towards proactive computer system forensics. In: International Conference on Information Technology: Coding and Computing. IEEE Computer Society (2004)
Burch, H., Cheswick, B.: Tracing Anonymous Packets to Their Approximate Source. In: Proc. 2000 of USENIX LISA Conference (2000)
CERT Network Situational Awareness Team, Silk, the system for internet-level knowledge (December 2012), http://tools.netsa.cert.org/silk
Chivers, H., Clark, J.A., Nobles, P., Shaikh, S.A., Chen, H.: Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers 15(1), 17–34 (2013)
Chivers, H., Nobles, P., Shaikh, S.A., Clark, J., Chen, H.: Accumulating evidence of insider attacks. In: MIST 2009 (In conjunction with IFIPTM 2009) CEUR Workshop Proceedings (2009)
Miller, D.: Softflowd, flow-based network traffic analyser (December 2012), http://www.mindrot.org/projects/softflowd/
Davidoff, S., Ham, J.: Network Forensics: Tracking Hackers through Cyberspace. Prentice Hall (2012)
de Tangil Rotaeche, G.S., Palomar, E., Garnacho, A.R., Álvarez, B.R.: Anonymity in the service of attackers. In: UPGRADE 2010, pp. 27–30 (2010)
Fienberg, S.E., Kadane, J.B.: The presentation of bayesian statistical analysis in legal proceedings. The Statistician 32, 88–98 (1983)
Sager, G.: Security fun with ocxmon and cflowd. In: Internet 2 Working Group (1998)
Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E.: Sensing for suspicion at scale: A bayesian approach for cyber conflict attribution and reasoning. In: 4th International Conference on Cyber Conflict (CYCON 2012), pp. 1–19 (2012)
Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E.: How do we effectively monitor for slow suspicious activities? In: Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013) CEUR Workshop Proceedings (2013), http://ceur-ws.org/Vol-965/paper06-essos2013.pdf
Mitropoulos, S.: Network forensics: towards a classification of traceback mechanisms. In: Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks (2005)
NS3 Development Team, Ns3 discrete-event network simulator for internet systems (2011), http://www.nsnam.org/
ProQueSys, Flowtraq, for effective monitoring, security, and forensics in a network environment (December 2012), http://www.flowtraq.com/corporate/product/flowtraq
Schultz, E.E., Shumway, R.: Incident response: A strategic guide for system and network security breaches Indianapolis. New Riders (2001)
Smith, A.F.M.: Present position and potential developments: Some personal views bayesian statistics. Journal of the Royal Statistical Society 147(2), 245–259 (1984)
Stefan, S., David, W., Anna, K., Tom, A.: Network support for ip traceback. IEEE/ACM Transactions on Networking 9(3), 226–237 (2001)
Stone, R.: CenterTrack: An IP overlay network for tracking DoS floods. In: USENIX Security Symposium (2000)
Streilein, W.W., Cunningham, R.K., Webster, S.E.: Improved detection of low profile probe and novel denial of service attacks. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (2002)
Heberlein, T.: Tactical operations and strategic intelligence: Sensor purpose and placement. Net Squared Inc., Tech. Rep. TR-2002-04.02 (2002)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E. (2013). Tracing Sources of Anonymous Slow Suspicious Activities. In: Lopez, J., Huang, X., Sandhu, R. (eds) Network and System Security. NSS 2013. Lecture Notes in Computer Science, vol 7873. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38631-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-38631-2_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38630-5
Online ISBN: 978-3-642-38631-2
eBook Packages: Computer ScienceComputer Science (R0)