| Overview | Publications | Resources | People | Contact |

Today's Internet presumes every host as "innocent" before it is detected "malicious", and the network society has no cumulative memory on a specific host's "good" or "bad" behaviors in history. This makes many Internet-wide attacks, like flash-crowd and polymorphic worm, possible and very hard to defend from. In these attacks, the traffic looks just legitimate and there is no way for either routers or servers to differentiate and prioritize transactions in favor of legitimate users.

To solve such problem, we propose to build an Internet-wide reputation system called Internet Credit Report (ICR). Just like the credit-reporting agencies for human beings, the ICR system monitors Internet-wide activities and assign each host (identified by IP address) a reputation score based on its behaving history. The reputation score represents a long-term evaluation of the host's behaviors and can be used as knowledge for predicting the host's future reliability. The key insight behind ICR is that a given host tends to be well-administered or poorly-administered over a considerable period of time, and that hosts that once behaved maliciously in the past warrant a lower trust since they are likely to be compromised again in future. As an evidence of this assumption, researchers on host scanning patterns have discovered that a few scanners are responsible for a large fraction of the Internet scans and there scanners persist over a considerably long time [1].

We build host-based profiles on Internet communications and detect behaviors that are anomalous compared with the profiled history. The information for reputation building are collected in two ways: distributed peer-evaluation and centralized host-behavior monitoring. In peer evaluation, hosts, especially service providers, submit reports on others that they just communicate with. Each host may share its feeling on the other party during the previous communications and the reports are integrated into the corresponding host's credit report.. The second way of information collection is by using the centralized traffic monitors. These monitors should locate on the Internet backbone and can observe communications between many sources and destinations. We build profiles for all the observed host behaviors. Behaviors are validated based on the profiles and anomalies are reported for suspicious hosts.

Currently we are working on profiling and modeling the traffic on Internet backbones. We apply data mining clustering technique on the host profiles and have achieved some promising results on characterizing host behaviors on both sending and receiving sides. We are pursuing a novel method to integrate host profiles from different sources, and interpret the patterns we found in host profile clustering. We are also working to build Internet traffic models that can be used for realistic simulations and live-traffic experiments.

[1] V. Yegneswaran, P. Barford and S. Jha, Global Intrusion Detection in the DOMINO Overlay System, Proceedings of the Network and Dsitributed Security Symposium (NDSS) 2004

• S. Wei and J. Mirkovic, Building Reputations for Internet Clients, Proceedings of the STM 2006, September 2006

• S. Wei, J. Mirkovic and E. Kissel, Profiling and Clustering Internet Hosts, Proceedings of the 2006 International Conference on Data Mining, June 2006

Resources

• The CAIDA website

• MAWI Working Group Traffic Archive

• NLANR Passive Measurement and Analysis

• Dr. Jelena Mirkovic

• Songjie Wei

• Ezra Kissel

Please send questions or comments to Songjie Wei

[Network Security Lab]  [Computer & Information Sciences Dept]  [University of Delaware]