[KSCI] Korea Science Citation Index Service

Sharing Information for Event Analysis over the Wide Internet

Nagao, Masahiro (Graduate School of Information Sciences, Tohoku University)
Koide, Kazuhide (KDDI Corporation)
Satoh, Akihiro (Graduate School of Information Sciences, Tohoku University)
Keeni, Glenn Mansfield (Cyber Solutions Inc.)
Shiratori, Norio (Research Institute of Electrical Communication, Tohoku University)

Publication Information

Journal of Communications and Networks / v.12, no.4, 2010 , pp. 382-394 More about this Journal

Abstract

Cross-domain event information sharing is a topic of great interest in the area of event based network management. In this work we use data sets which represent actual attacks in the operational Internet. We analyze the data sets to understand the dynamics of the attacks and then go onto show the effectiveness of sharing incident related information to contain these attacks. We describe universal data acquisition system for event based management (UniDAS), a novel system for secure and automated cross-domain event information sharing. The system uses a generic, structured data format based on a standardized incident object description and exchange format (IODEF). IODEF is an XML-based extensible data format for security incident information exchange. We propose a simple and effective security model for IODEF and apply it to the secure and automated generic event information sharing system UniDAS. We present the system we have developed and evaluate its effectiveness.

Keywords

Backscatter; darknet; event based network management; event information sharing; incident object description and exchange format (IODEF); network management system; worm propagation;

Citations & Related Records

Times Cited By Web Of Science : 0 (Related Records In Web of Science)
Times Cited By SCOPUS : 0

Reference

1	E. Bertino, P. A. Bonatti, and E. Ferrari, "TRBAC: A temporal role-based access control model," ACM Trans. Inf. Syst. Secur., vol. 4, no. 3, pp. 191– 233, 2001. DOI
2	"SOAP version 1.2 part 1: Messaging framework (second edition)," W3C Recommendation, 2007.
3	M. Wahl, T. Howes, and S. Kille, "Lightweight directory access protocol (v3)," RFC 2251, Dec 1997.
4	CpMonitor. [Online]. Available: http://www.cysols.com/products/cpmon itor/index.html
5	V. Guralnik and J. Srivastava, "Event detection from time series data," in Proc. KDD, New York, NY, USA, 1999, pp. 33–42.
6	G. Medioni, I. Cohen, F. Bremond, S. Hongeng, and R. Nevatia, "Event detection and analysis from video streams," IEEE Trans. Pattern Anal. Machine Intell., vol. 23, no. 8, pp. 873–889, 2001. DOI ScienceOn
7	J. Case, M. Fedor, M. Schoffstall, and J. Davin, "Simple network management protocol (SNMP)," RFC 1157, May 1990.
8	A. Lakhina, M. Crovella, and C. Diot, "Mining anomalies using traffic feature distributions," in Proc. ACM SIGCOMM, Philadelphia, Aug. 2005.
9	Viplu´s Razor. [Online]. Available: http://razor.sourceforge.net
10	DShield. [Online]. Available: http://www.dshield.org
11	D. F. Ferraiolo and D. R. Kuhn, "Role-based access controls," in Proc. the 15th National Comput. Security Conf., 1992, pp. 554–563.
12	Y. Shinoda, K. Ikai, and M. Itoh, "Vulnerabilities of passive internet threat monitors," in Proc. SSYM, Berkeley, CA, USA, 2005, pp. 14.
13	MAPS RBL. [Online]. Available: http://www.mail-abuse.com
14	RBL.JP. [Online]. Available: http://www.rbl.jp/index-e.php
15	Internet scan data acquisition system (ISDAS). [Online]. Available: http://www.jpcert.or.jp/isdas
16	SANS Internet storm center. [Online]. Available: http://isc.sans.org
17	Snort. [Online]. Available: http://www.snort.org
18	XSL transformations (XSLT). [Online]. Available: http://www.w3.org/ TR/1999/REC-xslt-19991116
19	"XML signature syntax and processing (second edition)," W3C Recommendation, 2008.
20	"XML encryption syntax and processing," W3C Recommendation, 2002.
21	"Web services description language (WSDL) version 2.0 part 1: Core language," W3C Recommendation, 2007.
22	UDDI Version 3.0.2. (2004). [Online]. Available: http://uddi.org/pubs/ uddi v3.htm
23	C. C. Zou, D. Towsley, and W. Gong, "On the performance of internet worm scanning strategies," Perform. Eval., vol. 63, no. 7, pp. 700–723, 2006. DOI ScienceOn
24	M. A. Rajab, F. Monrose, and A. Terzis, "On the effectiveness of distributed worm monitoring," in Proc. SSYM, Berkeley, CA, USA, 2005, pp. 15.
25	S. Wei and J. Mirkovic, "Correcting congestion-based error in network telescope's observations of worm dynamics," in Proc. IMC, New York, NY, USA, 2008, pp. 125–130.
26	D. Moore, G. M. Voelker, and S. Savage, "Inferring Internet denial-ofservice activity," in Proc. the 10th Usenix Security Symp., 2001, pp. 9–22.
27	Day in the life of the Internet. [Online]. Available: http://www.caida.org/ projects/ditl
28	M. Bailey, E. Cooke, F. Jahanian, J. Nazario, and D. Watson, "The Internet motion sensor: A distributed blackhole monitoring system," in Proc. NDSS, Feb. 2005.
29	C. C. Zou,W. Gong, and D. Towsley, "Code red worm propagation modeling and analysis," in Proc. the 9th ACM Conf. Comput. Commun. Security, 2002, pp. 138–147.
30	C. C. Zou. (2004).Witty worm propagation modeling. [Online]. Available: http://tennis.ecs.umass.edu/ czou/research/wittyModel.html
31	J. Kim, S. Radhakrishnan, and S. K. Dhall, "Measurement and analysis of worm propagation on Internet network topology," in Proc. ICCCN, 2004, pp. 495–500.
32	C. Shannon and D. Moore, "The spread of the witty worm," IEEE Secuity and Privacy, vol. 2, no. 4, pp. 46–50, 2004. DOI ScienceOn
33	C. Shannon, D. Moore, and E. Aben. (2007, Jan.–Nov.). The CAIDA backscatter-2007 dataset. [Online]. Avilable: http://www.caida.org/data /passive/backscatter 2007 dataset.xml
34	N. Weaver and D. Ellis, "Reflections on witty: Analyzing the attacker," login:, vol. 29, no. 3, pp. 34–37, 2004.
35	R. Danyliw, J.Meijer, and Y. Demchenko, "The incident object description exchange format," RFC 5070, Dec. 2007.
36	C. Shannon and D. Moore. (2004, Mar.). The CAIDA dataset on the witty worm. Cisco Systems, Limelight Networks, the US Department of Homeland Security, the National Science Foundation, DARPA, Digital Envoy, and CAIDA Members. [Online]. Available: http://www.caida.org/data/passive/witty worm dataset.xml
37	CAIDA. [Online]. Available: http://www.caida.org/home
38	The darknet project. [Online]. Available: http://www.team-cymru.org/Ser vices/darknets.html
39	J. P. Martin-Flatin, G. Jakobson, and L. Lewis, "Event correlation in integrated management: Lessons learned and outlook," J. Netw. Syst. Manage., vol. 15, no. 4, pp. 481–502, 2007. DOI ScienceOn
40	K. McCloghrie, D. Perkins, and J. Schoenwaelder, "Structure of management information version 2 (SMIv2)," RFC 2587, Apr. 1999.
41	"Information technology-open systems interconnection-structure of management information: Guidelines for the definition of managed objects," ISO/IEC 10165-4:1992 / ITU-T X.722, 1992.