IMC '05, 2005 Internet Measurement Conference Abstract
Pp. 365378 of the Proceedings
Collaborating Against Common Enemies
Sachin Katti, MIT; Balachander Krishnamurthy, AT&T LabsResearch; Dina Katabi, MIT
This paper presents the first wide-scale study of correlated attacks, i.e.,
attacks mounted by the same source IP against different networks. Using a
large dataset from 1700 intrusion detection systems (IDSs), we show that
correlated attacks are prevalent in the current Internet; 20% of all
offending sources mount correlated attacks and they account for more than
40% of all the IDS alerts in our logs.
We also reveal important characteristics of these attacks.
Correlated attacks appear at different networks within a few minutes of each
other, indicating the difficulty of warding off these attacks by occasional
offline exchange of lists of malicious IP addresses. Furthermore, correlated
attacks are highly targeted. The 1700 IDSs can be divided into small groups
with 4-6 members that do not change with time; IDSs in the same group experience
a large number of correlated attacks, while IDSs in different groups see almost
no correlated attacks. Our results have important implications on collaborative
intrusion detection of common attackers. They show that collaborating IDSs need
to exchange alert information in realtime. Further, exchanging alerts among the
few fixed IDSs in the same correlation group achieves almost the same benefits
as collaborating with all IDSs, while dramatically reducing the overhead.
- View the full text of this paper in HTML and PDF.
The Proceedings are published as a collective work, © 2005 by the USENIX Association. All Rights Reserved. Rights to individual papers remain with the author or the author's employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. USENIX acknowledges all trademarks within this paper.
- If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.