IEEE Spectrum December, 2007 - 37

If we observe enough of them, we can come up with historical
averages for inbound and outbound data packets, noting such
key features as which Internet addresses the network receives
packets from and which ones it sends packets to. We can also
note how many packets are sent in accord with which Internet
protocols at various times of the day and the overall traffic
volume. At any given time, the probability distributions of the
flow of traffic through the network will be characterized by
distinct curves [see graphs, "Fingering the Culprit"]. In fact,
the shape of the curve shows the entropy of the system. If the
shape of the curve is uniform, then entropy is high. If there's
a spike, then a low-probability event has occurred, and the
entropy is correspondingly low.
Internet traffic is dynamic and constantly evolving.
Nevertheless, over the course of, say, a year, some consistent
patterns emerge. These patterns are driven mainly by the
mixture of applications generating the traffic, such as Web
surfing, e-mail, music downloading, or Internet telephony,
though seasonal and geographical factors also affect them.
The first step in using these patterns to spot anomalous activity is to develop a probability distribution for each of the
characteristics. When these distributions are taken together,
they uniquely profile the traffic and create a "fingerprint"
of the network under consideration
and what we might call its internal
state-the sum total of these network
characteristics.
If we have monitored and measured
a system long enough, we know which
internal states are associated with wellbehaved Internet traffic. Any malicious
activity introduced into the network
alters the nature of the Internet traffic, because it has a designed, premeditated outcome that is different from
any of the network's normal states.
Even if an attack came in the form of
an activity that fits within network
norms-say, downloading a number
of music files-the fingerprint of the
network would look unusual, because it would differ in some
way from the network's established patterns of usage, if not in
terms of volume, then time of day, source, or some combination of those or other characteristics.
Paradoxically, Internet traffic has features of both randomness
and structure, and a worm, for example, will alter both, making the
traffic appear in some respects more uniform or structured than
normal Internet traffic, while appearing more random in others.
Packets flowing into a server seem to come from random
locations. For example, requests for Web pages typically come
from surfers all over the Internet. More will come from some
people and networks than from others, to be sure, but a graph
of them will normally be a fairly uniform curve. If a worm
is loose on the Internet, however, and the packet flows from
infected hosts grow to be a significant part of the set of total
traffic flows, then the addresses of those hosts will show up
disproportionately in any distribution graph-indicating how
many flows have come from a given source.
During a worm infestation, hosts that have been maliciously
co-opted connect to many other hosts in a short period. The
number of open connections from infected hosts become dominant, and entropy decreases. Similarly, the target IP addresses
seen in packet flows will be much more random than in normal

traffic. That is, the distribution of destination IP addresses will
be more dispersed, resulting in higher network entropy.
Most malicious attacks tend to seek out and exploit certain
vulnerabilities in the implementation of an Internet protocol.
Two of the most important of these are the Hypertext Transfer
Protocol, HTTP, which downloads Web pages, and the Simple
Mail Transport Protocol (SMTP), for sending e-mail. Besides the
protocol, specific operating-system ports are used to send and
receive traffic. We can think of the protocol as a means of transit, such as an ocean freighter or a yacht, while the port (as the
name suggests) terminates the data's journey at the computer's
equivalent of a berth number at a marina.
Fingerprinting is also possible at the port level. An attacker
can scan for a specific vulnerability by sending packets looking to see whether they are received and what response they
get; these scans often have to go to a specific target destination port. If the traffic that results from this scanning
becomes a significant component of the overall network traffic, then this will create an unusual fingerprint. Lastly, the
flow size-the number of packets in the flow-of the malicious worm activity will become more dominant and will
alter the distribution of flow size observed during a normal
network operation.
The Sasser worm, one of the largest and best-studied infestations in
Internet history, is an ideal example of
this port-specific approach. It began by
scanning the computers on whatever
network it had infiltrated. Whenever a
connection was made, the worm sent
a piece of code. The goal of the code
was to cause the infected host computer to accept commands on TCP
port 9996. Sasser then created a small
program named cmd.ftp on the host
computer, which then executed it. The
"ftp" in this script's name stands for
the File Transport Protocol. The FTP
script instructed the victim machine to
download and execute the worm from
the infected host without human intervention. The infected
host accepted this FTP traffic on still another port. To spread
itself even faster, Sasser spawned multiple threads, finding and
capturing as many vulnerable computers within an organization's network as possible.
Each of Sasser's activities created a unique network fingerprint. Information entropy can capture the dynamics of such
fingerprints by extracting any sudden change in the shape of the
distributions constituting that fingerprint. There is little that
the attacker can do to control the information entropy associated
with the fingerprint and thereby conceal the attack.
The Sasser worm significantly affected the information
entropy of a large North American wireless service provider
network [see graph, "Sasser's Entropy," based on an analysis
done after the attack]. Notice that traffic is much heavier during
the day, as reflected by the information entropy: high during the
day, low at night. When the Sasser worm invaded this wireless
carrier's network, the behavior-based security systems were
unable to detect the outbreak until the network became saddled
with more than 30 times its normal traffic volume. Behaviorbased systems cannot detect the initial attack, because the
traffic generated by one infected machine is negligible. Within
minutes, however, that one machine has infected 10 others, and

Paradoxically,
Internet traffic
has features of
both randomness
and structure,
and a worm will
alter both

www.spectrum.ieee.org

December 2007 | IEEE Spectrum | NA

http://www.spectrum.ieee.org

Table of Contents for the Digital Edition of IEEE Spectrum December, 2007