Journal of Communications and Networks

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지

Sharing Information for Event Analysis over the Wide Internet

  • Received : 2008.10.20
  • Accepted : 2010.01.20
  • Published : 2010.08.31
Download PDF
⟨ Previous Next ⟩

Abstract

Cross-domain event information sharing is a topic of great interest in the area of event based network management. In this work we use data sets which represent actual attacks in the operational Internet. We analyze the data sets to understand the dynamics of the attacks and then go onto show the effectiveness of sharing incident related information to contain these attacks. We describe universal data acquisition system for event based management (UniDAS), a novel system for secure and automated cross-domain event information sharing. The system uses a generic, structured data format based on a standardized incident object description and exchange format (IODEF). IODEF is an XML-based extensible data format for security incident information exchange. We propose a simple and effective security model for IODEF and apply it to the secure and automated generic event information sharing system UniDAS. We present the system we have developed and evaluate its effectiveness.

Keywords

References

  1. J. P. Martin-Flatin, G. Jakobson, and L. Lewis, "Event correlation in integrated management: Lessons learned and outlook," J. Netw. Syst. Manage., vol. 15, no. 4, pp. 481–502, 2007. https://doi.org/10.1007/s10922-007-9078-5
  2. K. McCloghrie, D. Perkins, and J. Schoenwaelder, "Structure of management information version 2 (SMIv2)," RFC 2587, Apr. 1999.
  3. "Information technology-open systems interconnection-structure of management information: Guidelines for the definition of managed objects," ISO/IEC 10165-4:1992 / ITU-T X.722, 1992.
  4. R. Danyliw, J.Meijer, and Y. Demchenko, "The incident object description exchange format," RFC 5070, Dec. 2007.
  5. C. Shannon and D. Moore. (2004, Mar.). The CAIDA dataset on the witty worm. Cisco Systems, Limelight Networks, the US Department of Homeland Security, the National Science Foundation, DARPA, Digital Envoy, and CAIDA Members. [Online]. Available: http://www.caida.org/data/passive/witty worm dataset.xml
  6. C. Shannon, D. Moore, and E. Aben. (2007, Jan.–Nov.). The CAIDA backscatter-2007 dataset. [Online]. Avilable: http://www.caida.org/data /passive/backscatter 2007 dataset.xml
  7. CAIDA. [Online]. Available: http://www.caida.org/home
  8. The darknet project. [Online]. Available: http://www.team-cymru.org/Ser vices/darknets.html
  9. C. C. Zou,W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proc. the 9th ACM Conf. Comput. Commun. Security, 2002, pp. 138–147.
  10. C. C. Zou. (2004).Witty worm propagation modeling. [Online]. Available: http://tennis.ecs.umass.edu/ czou/research/wittyModel.html
  11. J. Kim, S. Radhakrishnan, and S. K. Dhall, "Measurement and analysis of worm propagation on Internet network topology," in Proc. ICCCN, 2004, pp. 495–500.
  12. C. Shannon and D. Moore, "The spread of the witty worm," IEEE Secuity and Privacy, vol. 2, no. 4, pp. 46–50, 2004. https://doi.org/10.1109/MSP.2004.59
  13. N. Weaver and D. Ellis, "Reflections on witty: Analyzing the attacker," login:, vol. 29, no. 3, pp. 34–37, 2004.
  14. C. C. Zou, D. Towsley, and W. Gong, "On the performance of internet worm scanning strategies," Perform. Eval., vol. 63, no. 7, pp. 700–723, 2006. https://doi.org/10.1016/j.peva.2005.07.032
  15. M. A. Rajab, F. Monrose, and A. Terzis, "On the effectiveness of distributed worm monitoring," in Proc. SSYM, Berkeley, CA, USA, 2005, pp. 15.
  16. S. Wei and J. Mirkovic, "Correcting congestion-based error in network telescope's observations of worm dynamics," in Proc. IMC, New York, NY, USA, 2008, pp. 125–130.
  17. D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet denial-ofservice activity," in Proc. the 10th Usenix Security Symp., 2001, pp. 9–22.
  18. Day in the life of the Internet. [Online]. Available: http://www.caida.org/ projects/ditl
  19. M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, "The Internet motion sensor: A distributed blackhole monitoring system," in Proc. NDSS, Feb. 2005.
  20. Y. Shinoda, K. Ikai, and M. Itoh, "Vulnerabilities of passive internet threat monitors," in Proc. SSYM, Berkeley, CA, USA, 2005, pp. 14.
  21. MAPS RBL. [Online]. Available: http://www.mail-abuse.com
  22. RBL.JP. [Online]. Available: http://www.rbl.jp/index-e.php
  23. Internet scan data acquisition system (ISDAS). [Online]. Available: http://www.jpcert.or.jp/isdas
  24. SANS Internet storm center. [Online]. Available: http://isc.sans.org
  25. Snort. [Online]. Available: http://www.snort.org
  26. XSL transformations (XSLT). [Online]. Available: http://www.w3.org/ TR/1999/REC-xslt-19991116
  27. "XML signature syntax and processing (second edition)," W3C Recommendation, 2008.
  28. "XML encryption syntax and processing," W3C Recommendation, 2002.
  29. "Web services description language (WSDL) version 2.0 part 1: Core language," W3C Recommendation, 2007.
  30. UDDI Version 3.0.2. (2004). [Online]. Available: http://uddi.org/pubs/ uddi v3.htm
  31. "SOAP version 1.2 part 1: Messaging framework (second edition)," W3C Recommendation, 2007.
  32. M. Wahl, T. Howes, and S. Kille, "Lightweight directory access protocol (v3)," RFC 2251, Dec 1997.
  33. CpMonitor. [Online]. Available: http://www.cysols.com/products/cpmon itor/index.html
  34. V. Guralnik and J. Srivastava, "Event detection from time series data," in Proc. KDD, New York, NY, USA, 1999, pp. 33–42.
  35. G. Medioni, I. Cohen, F. Bremond, S. Hongeng, and R. Nevatia, "Event detection and analysis from video streams," IEEE Trans. Pattern Anal. Machine Intell., vol. 23, no. 8, pp. 873–889, 2001. https://doi.org/10.1109/34.946990
  36. J. Case, M. Fedor, M. Schoffstall, and J. Davin, "Simple network management protocol (SNMP)," RFC 1157, May 1990.
  37. A. Lakhina, M. Crovella, and C. Diot, "Mining anomalies using traffic feature distributions," in Proc. ACM SIGCOMM, Philadelphia, Aug. 2005.
  38. Viplu´s Razor. [Online]. Available: http://razor.sourceforge.net
  39. DShield. [Online]. Available: http://www.dshield.org
  40. D. F. Ferraiolo and D. R. Kuhn, "Role-based access controls," in Proc. the 15th National Comput. Security Conf., 1992, pp. 554–563.
  41. E. Bertino, P. A. Bonatti, and E. Ferrari, "TRBAC: A temporal role-based access control model," ACM Trans. Inf. Syst. Secur., vol. 4, no. 3, pp. 191– 233, 2001. https://doi.org/10.1145/501978.501979