Monitoring and analysis of internet traffic targeting unused address spaces

Today’s evolving networks are experiencing a large number of different attacks ranging from system break-ins, infection from automatic attack tools such as worms, viruses, trojan horses and denial of service (DoS). One important aspect of such attacks is that they are often indiscriminate and target Internet addresses without regard to whether they are bona fide allocated or not. Due to the absence of any advertised host services the traffic observed on unused IP addresses is by definition unsolicited and likely to be either opportunistic or malicious. The analysis of large repositories of such traffic can be used to extract useful information about both ongoing and new attack patterns and unearth unusual attack behaviors. However, such an analysis is difficult due to the size and nature of the collected traffic on unused address spaces. In this dissertation, we present a network traffic analysis technique which uses traffic collected from unused address spaces and relies on the statistical properties of the collected traffic, in order to accurately and quickly detect new and ongoing network anomalies. Detection of network anomalies is based on the concept that an anomalous activity usually transforms the network parameters in such a way that their statistical properties no longer remain constant, resulting in abrupt changes. In this dissertation, we use sequential analysis techniques to identify changes in the behavior of network traffic targeting unused address spaces to unveil both ongoing and new attack patterns. Specifically, we have developed a dynamic sliding window based non-parametric cumulative sum change detection techniques for identification of changes in network traffic. Furthermore we have introduced dynamic thresholds to detect changes in network traffic behavior and also detect when a particular change has ended. Experimental results are presented that demonstrate the operational effectiveness and efficiency of the proposed approach, using both synthetically generated datasets and real network traces collected from a dedicated block of unused IP addresses.

Using honeypots to analyse anomalous Internet activities

Monitoring Internet traffic is critical in order to acquire a good understanding of threats to computer and network security and in designing efficient computer security systems. Researchers and network administrators have applied several approaches to monitoring traffic for malicious content. These techniques include monitoring network components, aggregating IDS alerts, and monitoring unused IP address spaces. Another method for monitoring and analyzing malicious traffic, which has been widely tried and accepted, is the use of honeypots. Honeypots are very valuable security resources for gathering artefacts associated with a variety of Internet attack activities. As honeypots run no production services, any contact with them is considered potentially malicious or suspicious by definition. This unique characteristic of the honeypot reduces the amount of collected traffic and makes it a more valuable source of information than other existing techniques. Currently, there is insufficient research in the honeypot data analysis field. To date, most of the work on honeypots has been devoted to the design of new honeypots or optimizing the current ones. Approaches for analyzing data collected from honeypots, especially low-interaction honeypots, are presently immature, while analysis techniques are manual and focus mainly on identifying existing attacks. This research addresses the need for developing more advanced techniques for analyzing Internet traffic data collected from low-interaction honeypots. We believe that characterizing honeypot traffic will improve the security of networks and, if the honeypot data is handled in time, give early signs of new vulnerabilities or breakouts of new automated malicious codes, such as worms. The outcomes of this research include: • Identification of repeated use of attack tools and attack processes through grouping activities that exhibit similar packet inter-arrival time distributions using the cliquing algorithm; • Application of principal component analysis to detect the structure of attackers’ activities present in low-interaction honeypots and to visualize attackers’ behaviors; • Detection of new attacks in low-interaction honeypot traffic through the use of the principal component’s residual space and the square prediction error statistic; • Real-time detection of new attacks using recursive principal component analysis; • A proof of concept implementation for honeypot traffic analysis and real time monitoring.

Use of IP addresses for high rate flooding attack detection

High-rate flooding attacks (aka Distributed Denial of Service or DDoS attacks) continue to constitute a pernicious threat within the Internet domain. In this work we demonstrate how using packet source IP addresses coupled with a change-point analysis of the rate of arrival of new IP addresses may be sufficient to detect the onset of a high-rate flooding attack. Importantly, minimizing the number of features to be examined, directly addresses the issue of scalability of the detection process to higher network speeds. Using a proof of concept implementation we have shown how pre-onset IP addresses can be efficiently represented using a bit vector and used to modify a “white list” filter in a firewall as part of the mitigation strategy.

The question concerning (internet) time

Spatial representations, metaphors and imaginaries (cyberspace, web pages) have been the mainstay of internet research for a long time. Instead of repeating these themes, this paper seeks to answer the question of how we might understand the concept of time in relation to internet research. After a brief excursus on the general history of the concept, this paper proposes three different approaches to the conceptualisation of internet time. The common thread underlying all the approaches is the notion of time as an assemblage of elements such as technical artefacts, social relations and metaphors. By drawing out time in this way, the paper addresses the challenge of thinking of internet time as coexistence, a clash of fluxes, metaphors, lived experiences and assemblages. In other words, this paper proposes a way to articulate internet time as a multiplicity.

The question concerning (Internet) time

Spatial representations, metaphors and imaginaries (cyberspace, web pages) have been the mainstay of internet research for a long time. Instead of repeating these themes, this paper seeks to answer the question of how we might understand the concept of time in relation to internet research. After a brief excursus on the general history of the concept, this paper proposes three different approaches to the conceptualisation of internet time. The common thread underlying all the approaches is the notion of time as an assemblage of elements such as technical artefacts, social relations and metaphors. By drawing out time in this way, the paper addresses the challenge of thinking of internet time as coexistence, a clash of fluxes, metaphors, lived experiences and assemblages. In other words, this paper proposes a way to articulate internet time as a multiplicity.

Guilt in victims of internet scams

This is a presentation made (by invitation from the Queensland Police, Fraud Squad) to a group of Queenslanders all of whom had fallen victim to internet scams. The paper addresses the subject of guilt and why we may 'suffer' from it after a traumatic experience where the individual and/or the family have gone through a major financial or emotional loss.

Consumer Internet purchasing behaviour in Chile

Despite the potential for e-commerce growth in Latin America, studies investigating factors that influence consumers’ Internet purchasing behavior are very limited. This research addresses this limitation with a consumer centric study in Chile using the Theory of Reasoned Action. The study examines Chilean consumers’ beliefs, perceptions of risk, and subjective norms about continued purchasing on the Internet. Findings show that consumers’ attitude towards purchasing on the Internet is an influential factor on intentions to continue Internet purchasing. Additionally, compatibility and result demonstrability are influential factors on attitudes towards this behavior. The study contributes to the important area of technology post adoption behavior.

Access to the Internet Submission to ALRC IP 46

This submission is directed to issues arising in respect of the need to recognise and support access to the internet for all Australian residents and citizens. As such it addresses the following questions only: Questions 2-1: What general principles or criteria should be applied to help determine whether a law that interferes with freedom of speech is justified? Question 2-2: Which Commonwealth laws unjustifiably interfere with freedom of speech, and why are these laws unjustified?

Public internet access revisited

In recent years the Australian government has dedicated considerable project funds to establish public Internet access points in rural and regional communities. Drawing on data from a major Australian study of the social and economic impact of new technologies on rural areas, this paper explores some of the difficulties rural communities have faced in setting up public access points and sustaining them beyond their project funding. Of particular concern is the way that economic sustainability has been positioned as a measure of the success of such ventures. Government funding has been allocated on the basis of these rural public access points becoming economically self-sustaining. This is problematic on a number of counts. It is therefore argued that these public access points should be reconceptualised as essential community infrastructure like schools and libraries, rather than potential economic enterprises. Author Keywords: Author Keywords: Internet; Public access; Sustainability; Digital divide; Rural Australia