Project Summary

The field of system security research has long been dominated by individual qualitative results - either demonstrations of individual system vulnerabilities or expositions on the protection provided by individual security measures (e.g., firewalls, virus detectors, IDS systems, etc). These contributions, though clearly valuable, are difficult to evaluate without a complementary quantitative context describing the prevalence and impact of various attacks, vulnerabilities, and responses. The need for empirical data of this type is critical, both for guiding future security research and to provide a well-reasoned basis for developing operational best practices. At the same time, there are tremendous challenges in collecting and analyzing network information at sufficient scale that these findings are globally meaningful.

In previous work, we have demonstrated techniques for attacking these problems in the context of Internetconnected systems - particularly focusing on large-scale attacks such as denial-of-service and self-propagating network worms. Using a new technique, called 'backscatter analysis', combined with the large address space 'network telescope' we have developed at UCSD, we have been able to monitor the global prevalence of denial-of-service (DoS) activity on the Internet. Our approach allows us to quantitatively measure each individual attack, its duration, its intensity, and identify the victim and the services targeted. Our initial study demonstrated that DoS attacks occur with great frequency and target a wide-variety of sites and network infrastructure, thereby ending an ongoing debate in the security community about how widespread this phenomenon really was.

In related work, we have used a similar approach to monitor the spread of Internet worms such as CodeRed and Nimda. Using this data, we identified the growth pattern of these attacks, characterized the victims to identify common traits that made them vulnerable, and analyzed the effectiveness of security personnel in repairing their systems across the Internet. Finally, we have also developed a preliminary analysis of the technical requirements for effective worm countermeasures. By combining spreading models, population data extracted from real Internet worm epidemics, and measured models of Internet topology, we have shown that any reactive worm defense will require extremely widespread deployment and very short reaction times (a few minutes or less).

Using these ideas as a basis, we propose to develop a combination of network analysis techniques and network measurement infrastructure to analyze large-scale Internet security threats. In particular, we plan to investigate the following questions: how do the nature of these threats change over time, how effective are attackers at compromising services, and how well do existing security countermeasures provide a meaningful defense against these threats in practice? Using the large 'network telescope' we have developed at UCSD in combination with smaller monitoring platforms on other networks, we expect to be able to measure the vast majority of large-scale Internet attacks and capture global DoS, worm, and port scan activity on an ongoing basis. Based on this longitudinal data, we will develop analytic techniques for measuring long-term trends in the make-up and staging of these attacks. We plan to extend our backscatter algorithms and measurement infrastructure to track Internet attacks in real-time and actively probe victimized hosts to understand the impact of these attacks, the distribution of various vulnerabilities, and the efficacy of employed security measures. Finally, we will modify our monitors to redirect a subset of packets to simulated hosts (a so-called 'honeynet') to automatically identify and characterize new worms as they emerge.

The potential impact of this proposal is the creation of an empirical dataset that describes large-scale attacks across the global Internet. There is no equivalent dataset available today for researchers or practitioners to engineer their systems or to model the relative importance of different threats. Moreover, the real-time nature of this dataset could be widely valuable for operationally detecting, tracking, and characterizing large-scale threats as they occur. Given ongoing requests from government, industry, and academia that we receive for our preliminary data, we believe that there is keen, widespread interest for the large-scale data that we propose to create.