< SweetBait: Zero-Hour Worm Detection and Containment Using Honeypots | Steganography in Botnet Command & Control >

MISC #3: How Leurré.com Observes the Internet

If you speak French or German, you should take a look at the issue 23 or 3 of MISC, the magazine on computer security. There is an interesting article by Jacob Zimmermann about Leurré.com. He focuses on the measurement of "Inter-Arrival Times" (IAT) between packets to find anomalies.

There is also a conference paper by Zimmermann et al. that deals with the same topic. It is entitled "The use of packet inter-arrival times for investigating unsolicited Internet traffic" and was presented at SADFE'05, the 1rst International Workshop on Sytematic Approaches to Digital Forensic Engineering in November 2005. Unfortunately, this paper is as far as I see only available via IEEE Xplore.

Abstract:
Monitoring the Internet reveals incessant activity, that has been referred to as background radiation. In this paper, we propose an original approach that makes use of packet inter-arrival times, or IATs, to analyse and identify such abnormal or unexpected network activity. Our study exploits a large set of data collected on a distributed network of honeypots during more than six months. Our main contribution in this paper is to demonstrate the usefulness of IAT analysis for network forensic purposes, and we illustrate this with examples in which we analyse particular IAT peak values. In addition, we pinpoint some network anomalies that we have been able to determine through such analysis. 


@inproceedings{EURECOM+1726,

  year       = {2005},

  title        = {{T}he use of packet inter-arrival times for investigating 

                     unsolicited {I}nternet traffic},

  author    = {Zimmermann, Jacob and Clark, Andrew and Mohay, George 

                      and Pouget, Fabien and Dacier, Marc},

  booktitle = {{SADFE}'05, 1rst {I}nternational {W}orkshop on {S}ytematic 

                     {A}pproaches to {D}igital {F}orensic {E}ngineering, 

                     {N}ovember 7-9, 2005, {T}aipei, {T}aiwan},

  month     =  {Nov}

}
This entry was posted by Thorsten Holz on Thursday, March 30. 2006 at 17:31. and is filed under paper. You can leave a response, or trackback from your own blog.

Trackbacks

Trackback specific URI for this entry

    No Trackbacks

Comments

Display comments as (Linear | Threaded)

  1. Dv8or025 says:
    #1 2006-04-03 11:57 (Reply)

    Thanks for pointing out to this very interesting research! I was able to find the paper outside IEEE Xplore, just check out http://www.eurecom.fr/~pouget/papiers/sadfe05.pdf

    (BTW : there are more papers to be found in that directory! :-D

    Have Phun! :-)


Add Comment


Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
E-Mail addresses will not be displayed and will only be used for E-Mail notifications

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA