Computing Publications

Publications Home » Observing Internet Worm and Virus...

Observing Internet Worm and Virus Attacks with a Small Network Telescope

Uli Harder, Matthew Johnson, Jeremy T. Bradley, William J. Knottenbelt

Conference or Workshop Paper
PASM 2005, 2nd International Workshop on the Practical Application of Stochastic Modelling
June, 2006
Electronic Notes in Theoretical Computer Science
Volume 151
Issue 3
pp.47–59
Elsevier
ISSN 1571-0661
DOI 10.1016/j.entcs.2006.03.011
Abstract

A network telescope is a portion of IP address space dedicated to observing inbound internet traffic. The purpose of a network telescope is to detect and log malicious traffic which originates from internet worms and viruses. In this paper, we investigate the statistical properties of observed traffic from a passive Class C telescope over a total of three months. We observe that only a few IP sources and destination ports are responsible for the majority of the traffic. We also demonstrate various ways to visualise the traffic profile from a telescope. We show that specific profiles can identify and distinguish portscans, hostscans and distributed denial-of-service (DDOS) attacks. Looking at the inter-arrival time of packets, the power spectrum and the detrended fluctuation analysis of the observed traffic, we show that there is very little sign of long-range dependence. This is in stark contrast to other network traffic and presents exciting possibilities for identifying malicious traffic purely from its traffic profile.

Keywords
AESOP
Statistical analysis
Notes

The data has now been released in anonymised form at <http://www.doc.ic.ac.uk/~uh/network-telescope/>.

PDF of full publication (1.3 megabytes)
(need help viewing PDF files?)
GZipped Postscript of full publication (348 kilobytes)
(need help viewing GZipped Postscript files?)
BibTEX file for the publication
N.B.
Conditions for downloading publications from this site.
 

pubs.doc.ic.ac.uk: built & maintained by Ashok Argent-Katwala.