Estimating the number of hosts corresponding to an intrusion alert while preserving privacy

详细信息    查看全文

• 作者：Alif Wahid ; Christopher Leckie ; Chenfeng Zhou
• 关键词：Intrusion detection ; Address aliasing ; Privacy protection ; Statistical modelling
• 刊名：Journal of Computer and System Sciences
• 出版年：May, 2014
• 年：2014
• 卷：80
• 期：3
• 页码：502-519
• 全文大小：1813 K

文摘

An inherent feature of IP addresses is the aliasing that arises due to dynamic address allocation. This creates a significant barrier to the estimation of the malicious host population from a set of intrusion alerts. In this paper, we propose a method for estimating the number of malicious hosts that may have bound to an alerted address, based on the correlation of different data sets that were collected independently and a probabilistic model of host-to-address bindings. We analysed a two week trace of real-world intrusion alerts along with a global survey of ping responses, and inferred that over 80% of malicious addresses were bound to multiple hosts. Such aliasing effects highlight the inaccuracy of assuming static bindings between hosts and addresses when exact host identification is not possible due to privacy protection. However, our method demonstrates that reliable inferences can still be made when a sufficient overlap exists between the correlated data sets.