Network scanners constantly probe the Livermore network looking for vulnerabilities. Analyzing packet arrival timing data reveals highly distinctive patterns that may correlate with the attacker's choice of tools, physical platform and/or network location. Consistent identification will improve network security and aid counterintelligence efforts. We have developed tools to preprocess scan data, using wavelet techniques to achieve over 1,000x compression ratio while still preserving the essential features. Initial experiments indicate our methods consistently identify patterns in the data.

PDF file

Publisher  USENIX
All copyrights reserved by USENIX 2004

Details