Monitor placement for network attack attribution using information theory metrics
Liverpool, Rimike Y. (2004) Monitor placement for network attack attribution using information theory metrics. Masters thesis, Iowa State University.
Full text available as:
Numerous mechanisms exist that allow an attacker to conceal the origin of his network traffic. A knowledgeable attacker can take advantage of these mechanisms to conceal from where his attacks originate. Network Attack Attribution Systems (NAAS) are monitoring systems placed in networks to identify the origin of such attacks. Past work in network attribution systems has focused on active methods that mark traffic as well as passive correlation and systems. Although several ad-hoc architectures for passive attribution have been described, little has been discussed about the placement and organizations of passive attribution monitors. This thesis introduces the problem of finding optimal deployments of passive NAASs in a network where there are constraints on the number of NAASs available for deployment. We define the optimal deployment problem in terms of information theory metrics. We consider two cases-average entropy and "worst-case" entropy. These metrics describe the remaining uncertainty in the origin of an attack when a NAAS works correctly. We then evaluate two greedy algorithms based on graph centrality heuristics for finding high quality deployments. Finally, we compare our algorithms to known partition algorithms as well as manual deployments to show the effectiveness of using our metrics. We use real network topology measurements to evaluate our results.
Archive Staff Only: edit this record