4th International IEEE Conference on Broadband Communications, Networks, Systems

Research Article

Strategic Deployment of Network Monitors for Attack Attribution

  • @INPROCEEDINGS{10.1109/BROADNETS.2007.4550478,
        author={Young June Pyun and Douglas S. Reeves},
        title={Strategic Deployment of Network Monitors for Attack Attribution},
        proceedings={4th International IEEE Conference on Broadband Communications, Networks, Systems},
        publisher={IEEE},
        proceedings_a={BROADNETS},
        year={2010},
        month={5},
        keywords={},
        doi={10.1109/BROADNETS.2007.4550478}
    }
    
  • Young June Pyun
    Douglas S. Reeves
    Year: 2010
    Strategic Deployment of Network Monitors for Attack Attribution
    BROADNETS
    IEEE
    DOI: 10.1109/BROADNETS.2007.4550478
Young June Pyun1,*, Douglas S. Reeves1,*
  • 1: Department of Computer Science North Carolina State University, Raleigh, NC 27695, USA
*Contact email: yjpyun@ncsu.edu, reeves@ncsu.edu

Abstract

Attacks launched over the Internet have become a pressing problem. Attackers make use of a variety of techniques to anonymize their traffic, in order to escape detection and prosecution. Despite much research on attack attribution, there has been little work on optimizing the number and placement of monitoring points for identifying the source of attacks with minimum ambiguity. This paper proposes such a method. The approach is based on the concept of graph separators. A separator partitions a network, such that the size of the separator is the number of monitors needed, and the size of a partition is the ambiguity in isolating the specific source of an attack. To achieve a desired degree of ambiguity, a good separator for the Internet is sought. Both vertex and edge separator heuristics are presented, which greedily select vertices of highest/lowest degree as monitors. The methods are evaluated for the Internet autonomous system (AS) topology. Experimental results show that the vertex separator heuristic requires just 5% of the ASes to be monitored to identify the source of an attack with little ambiguity. If only those links actually used for routing to a specific destination are considered, use of an edge separator requires 30% of the links to be monitored to achieve similar results. The results can be further improved if it is known that ASes have unequal probabilities of being the source of an attack.