Exposing Internet address use to enhance network security

This thesis seeks to use knowledge of Internet addressing to improve Internet security. Its goal is to identify and exploit differences between the way that normal and malicious users, applications, and devices use Internet addresses in order to improve and extend the visibility and effectiveness of Internet detection and monitoring systems. The central premise of this thesis is that the more addresses of vulnerable Internet systems known to an attacker, the easier it is for that attacker to spread malicious activity. Indeed, the use of large numbers of Internet addresses is characteristic of many of the most critical security problems facing the Internet today, including spam, phishing, Internet worms, and botnets. Current techniques for detecting and stopping malicious Internet behavior, such as intrusion detection systems and spam filters, focus on inspecting the contents of Internet communications, and not on the fact that addresses must be discovered, resolved, and embedded into communications before any malicious activity can succeed.; This thesis focuses on address discovery, the first step in the process, and it investigates how collecting information on the source and destination of an address discovery attempt can be used to enhance the visibility and effectiveness of network security systems. Two methods of tracking address enumeration by malicious agents in IP and TCP/UDP port space are explored. The first approach is to study models of infectious Internet processes to analyze whether these models can be applied to predict the addresses an attacker will discover and target. The second approach is to monitor address discovery attempts by instrumenting the network to collect and identify address enumeration initiated by attackers. A technique called pervasive darknet monitoring is proposed to identify address discovery attempts destined for unused and unreachable Internet addresses and detect malicious Internet behavior.; Thesis statement. By predicting or monitoring how Internet users, applications, and devices discover Internet addresses, it is possible to identify malicious behavior and enhance the visibility and effectiveness of network security systems.