| Networks are increasingly subjected to threats that affect the reliability of critical infrastructure, including Distributed Denial of Service attacks, scanning worms, and botnets. These threats pose significant challenges to measurement infrastructure due to their global scope, extreme scale, and dynamic behavior. As a result, current techniques do not provide sufficiently early or comprehensive intelligence about these attacks. In order to address the problem of providing timely, detailed forensic information on new Internet threats we propose a hybrid system that combines the benefits of network-based and host-based sensors without the corresponding drawbacks. We present insights into the various techniques employed in such a system. We examine the utility of using traffic to unused address space as a means for scalable monitoring for the emergence of new threats and show that while scalable, care must be taken as different sensors see different views of the same global event. We show how the key to achieving scalability is the use of intelligent filtering, allowing the distributed network sensors to selectively send threats to be evaluated to the host sensors based on either the emergence of new threat payloads of the increase in the number of attackers. We highlight the two major issues in monitoring threats with host sensors; how to configure them, and how to analyze the data. We dismiss the idea that monolithic configurations are sufficient configurations and show how anomaly detection can provide an effective means of automating forensics. Finally we show the impact of combining these two types of sensors is profound, providing an unprecedented level of visibility into Internet threats. We demonstrate this utility by providing examples of both individual threat analysis, and insights into threats such as their escalated threat, increasingly global scope, and persistent population. |
