Learn More
A fundamental problem for network intrusion detection systems is the ability of a skilled attacker to evade detection by exploiting ambiguities in the traffic stream as seen by the monitor. We discuss the viability of addressing this problem by introducing a new network forwarding element called a traffic normalizer. The normalizer sits directly in the path(More)
In this paper we present <i>Netalyzr</i>, a network measurement and debugging service that evaluates the functionality provided by people's Internet connectivity. The design aims to prove both comprehensive in terms of the properties we measure and easy to employ and understand for users with little technical background. We structure <i>Netalyzr</i> as a(More)
This paper describes a system for automated generation of attack signatures for network intrusion detection systems. Our system applies pattern-matching techniques and protocol conformance checks on multiple levels in the protocol hierarchy to network traffic captured a honeypot system. We present results of running the system on an unprotected cable modem(More)
Spam-based marketing is a curious beast. We all receive the advertisements---"Excellent hardness is easy!"---but few of us have encountered a person who admits to following through on this offer and making a purchase. And yet, the relentlessness by which such spam continually clogs Internet inboxes, despite years of energetic deployment of antispam(More)
Network managers are inevitably called upon to associate network traffic with particular applications. Indeed, this operation is critical for a wide range of management functions ranging from debugging and security to analytics and policy support. Traditionally, managers have relied on application adherence to a well established global port mapping: Web(More)
Recent years have seen extensive diversification of the " underground economy " associated with malware and the subversion of Internet-connected systems. This trend towards specialization has compelling forces driving it: mis-creants readily apprehend that tackling the entire value-chain from malware creation to monetization in the presence of ever-evolving(More)
Automatic protocol reverse-engineering is important for many security applications, including the analysis and defense against botnets. Understanding the command-and-control (C&amp;C) protocol used by a botnet is crucial for anticipating its repertoire of nefarious activity and to enable active botnet infiltration. Frequently, security analysts need to(More)
Online sales of counterfeit or unauthorized products drive a robust underground advertising industry that includes email spam, " black hat " search engine optimization , forum abuse and so on. Virtually everyone has encountered enticements to purchase drugs, prescription-free, from an online " Canadian Pharmacy. " However, even though such sites are clearly(More)
—Netalyzr is a widely used network measurement and diagnosis tool. To date, it has collected 198,000 measurement sessions from 146,000 distinct IP addresses. One of the primary focus areas of Netalyzr is DNS behavior, including DNS resolver properties, common name lookups, NXDOMAIN wildcarding, lookup performance, and on-the-wire manipulations. Additional(More)