Towards trapping wily intruders in the large

Intrusions are in general characterized by some noise or indications. In the network context these signals may be seen in the TCP-RESET packets and the ICMP echo-response or destination/port unreachable packets. Analysis of network traffic has shown that the profiles of such signals due to intrusion attempts are distinctly different from those due to routine operations and/or unintentional mistakes. By monitoring such suspicious signals in a distributed framework, intrusions or attempts thereof can be effectively detected. To track down attackers who may be using spoofed addresses, a new technique-based on traffic pattern monitoring is introduced. The traffic patterns can be traced across networks. For this purpose we have developed an SNMP-based messaging system which allows friendly networks to collaborate in tracking down the intruder. Results using prototype implementations on a medium size operational network are presented. (C) 2000 Elsevier Science B.V. All rights reserved.