Detecting Hidden Causality in Network Connections

Jayanth Kumar Kannan and Jaeyeon Jung and Vern Paxson and Can Emre Koksal

EECS Department, University of California, Berkeley

Technical Report No. UCB/EECS-2005-30

December 19, 2005

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2005/EECS-2005-30.pdf

Upon success, certain network attacks manifest by causing the victim host to change its network-visible connection ehavior, such as by starting a new service that the attacker probes to confirm success, ``phoning home'' to a host ontrolled by the attacker, or further propagating the attack (e.g., worms or spam relays). One characteristic of such change in network behavior is the presence of unusual causal relationships between connections. Based on this observation, we develop a statistical test that a network monitor can use to identify these causal relationships, and an accompanying set of filtering mechanisms to winnow down the full set of causal relationships to those that are unexpected. We evaluate our mechanism on two large Internet traces, finding that while its detection is incomplete (non-negligible false negatives), it unearths numerous instances of interesting activity. We also find that the rate of false alarms, while not low enough to enable automatic responses to intrusions, is only a few tens per day for a busy site that sees over 2.5~million connections a day.

BibTeX citation:

@techreport{Kannan:EECS-2005-30,
    Author= {Kannan, Jayanth Kumar and Jung, Jaeyeon and Paxson, Vern and Koksal, Can Emre},
    Title= {Detecting Hidden Causality in Network Connections},
    Year= {2005},
    Month= {Dec},
    Url= {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2005/EECS-2005-30.html},
    Number= {UCB/EECS-2005-30},
    Abstract= {Upon success, certain network attacks manifest by causing the victim host to change its network-visible connection  ehavior, such as by starting a new service that the attacker probes to confirm success, ``phoning home'' to a host  ontrolled by the attacker, or further propagating the attack (e.g., worms or spam relays). One characteristic of such  change in network behavior is the presence of unusual causal relationships between connections. Based on this observation, we develop a statistical test that a network monitor can use to identify these causal relationships, and  an accompanying set of filtering mechanisms to winnow down the full set of causal relationships to those that are unexpected.  We evaluate our mechanism on two large Internet   traces, finding that while its detection is incomplete (non-negligible false negatives), it unearths numerous instances of interesting activity.  We also find that the rate of false alarms, while not low enough to enable automatic responses to intrusions, is only a few tens per day for a busy site that sees over 2.5~million connections a day.},
}

EndNote citation:

%0 Report
%A Kannan, Jayanth Kumar 
%A Jung, Jaeyeon 
%A Paxson, Vern 
%A Koksal, Can Emre 
%T Detecting Hidden Causality in Network Connections
%I EECS Department, University of California, Berkeley
%D 2005
%8 December 19
%@ UCB/EECS-2005-30
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2005/EECS-2005-30.html
%F Kannan:EECS-2005-30