TY - GEN
T1 - Identifying and tracking suspicious activities through IP gray space analysis
AU - Jin, Yu
AU - Zhang, Zhi Li
AU - Xu, Kuai
AU - Cao, Feng
AU - Sahu, Sambit
N1 - Copyright:
Copyright 2008 Elsevier B.V., All rights reserved.
PY - 2007
Y1 - 2007
N2 - Campus or enterprise networks often have many unassigned IP addresses that collectively form IP gray space within the address blocks of such networks. Using one-month traffic data collected in a large campus network, we have monitored a significant amount of unwanted traffic towards IP gray space in various forms, such as worms, port scanning, and denial of service attacks. In this paper, we apply a heuristic algorithm to extract the IP gray space in our campus network. Subsequently, we analyze the behavioral patterns such as dominant activities and target randomness, of the gray space traffic for individual outside hosts. By correlating and contrasting the traffic towards IP gray addresses and live end hosts, we find the gray space traffic provides unique insight for uncovering the behavior, and intention,of anomalous traffic towards live end hosts. Finally, we demonstrate the applications of gray space traffic for identifying SPAM behavior, detecting malicious scanning and worm activities that successfully compromise end hosts.
AB - Campus or enterprise networks often have many unassigned IP addresses that collectively form IP gray space within the address blocks of such networks. Using one-month traffic data collected in a large campus network, we have monitored a significant amount of unwanted traffic towards IP gray space in various forms, such as worms, port scanning, and denial of service attacks. In this paper, we apply a heuristic algorithm to extract the IP gray space in our campus network. Subsequently, we analyze the behavioral patterns such as dominant activities and target randomness, of the gray space traffic for individual outside hosts. By correlating and contrasting the traffic towards IP gray addresses and live end hosts, we find the gray space traffic provides unique insight for uncovering the behavior, and intention,of anomalous traffic towards live end hosts. Finally, we demonstrate the applications of gray space traffic for identifying SPAM behavior, detecting malicious scanning and worm activities that successfully compromise end hosts.
KW - Anomaly detection
KW - Entropy
KW - IP gray space
KW - Network trafc analysis
KW - Profling
UR - http://www.scopus.com/inward/record.url?scp=34548268555&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=34548268555&partnerID=8YFLogxK
U2 - 10.1145/1269880.1269883
DO - 10.1145/1269880.1269883
M3 - Conference contribution
AN - SCOPUS:34548268555
SN - 1595937927
SN - 9781595937926
T3 - MineNet'07: Proceedings of the Third Annual ACM Workshop on Mining Network Data
SP - 7
EP - 12
BT - MineNet'07
T2 - MineNet'07: 3rd Annual ACM Workshop on Mining Network Data
Y2 - 12 June 2007 through 12 June 2007
ER -