Tracing Sources of Anonymous Slow Suspicious Activities

  • Harsha K. Kalutarage
  • Siraj A. Shaikh
  • Qin Zhou
  • Anne E. James
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)


Tracing down anonymous slow attackers creates number of challenges in network security. Simply analysing all traffic is not feasible. By aggregating information of large volume of events, it is possible to build a clear set of benchmarks of what should be considered as normal over extended period of time and hence to identify anomalies. This paper provides an anomaly based method for tracing down sources of slow suspicious activities in Cyber space. We present the theoretical account of our approach and experimental results.


Gateway Node Attack Scenario Suspicious Node Tree Traversal Attack Node 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Baseline Security Requirements for Network Security Zones in the Government of Canada (June 2007),
  2. 2.
  3. 3.
    Slowloris http dos (March 2013),
  4. 4.
    John, A., Sivakumar, T.: DDoS: Survey of Traceback Methods. International Journal of Recent Trends in Engineering 1(2) (May 2009)Google Scholar
  5. 5.
    Snoeren, A.C., Partridge, C., Sanchez, L.A., Jones, C.E., Tchakountio, F., Schwartz, B., Kent, S.T., Strayer, W.T.: Single-packet ip traceback. IEEE/ACM Trans. Netw. (2002)Google Scholar
  6. 6.
    Argus: Argus, the network audit record generation and utilization system (December 2012),
  7. 7.
    Bradford, P.G., Brown, M., Self, B., Perdue, J.: Towards proactive computer system forensics. In: International Conference on Information Technology: Coding and Computing. IEEE Computer Society (2004)Google Scholar
  8. 8.
    Burch, H., Cheswick, B.: Tracing Anonymous Packets to Their Approximate Source. In: Proc. 2000 of USENIX LISA Conference (2000)Google Scholar
  9. 9.
    CERT Network Situational Awareness Team, Silk, the system for internet-level knowledge (December 2012),
  10. 10.
    Chivers, H., Clark, J.A., Nobles, P., Shaikh, S.A., Chen, H.: Knowing who to watch: Identifying attackers whose actions are hidden within false alarms and background noise. Information Systems Frontiers 15(1), 17–34 (2013)CrossRefGoogle Scholar
  11. 11.
    Chivers, H., Nobles, P., Shaikh, S.A., Clark, J., Chen, H.: Accumulating evidence of insider attacks. In: MIST 2009 (In conjunction with IFIPTM 2009) CEUR Workshop Proceedings (2009)Google Scholar
  12. 12.
    Miller, D.: Softflowd, flow-based network traffic analyser (December 2012),
  13. 13.
    Davidoff, S., Ham, J.: Network Forensics: Tracking Hackers through Cyberspace. Prentice Hall (2012)Google Scholar
  14. 14.
    de Tangil Rotaeche, G.S., Palomar, E., Garnacho, A.R., Álvarez, B.R.: Anonymity in the service of attackers. In: UPGRADE 2010, pp. 27–30 (2010)Google Scholar
  15. 15.
    Fienberg, S.E., Kadane, J.B.: The presentation of bayesian statistical analysis in legal proceedings. The Statistician 32, 88–98 (1983)CrossRefGoogle Scholar
  16. 16.
    Sager, G.: Security fun with ocxmon and cflowd. In: Internet 2 Working Group (1998)Google Scholar
  17. 17.
    Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E.: Sensing for suspicion at scale: A bayesian approach for cyber conflict attribution and reasoning. In: 4th International Conference on Cyber Conflict (CYCON 2012), pp. 1–19 (2012)Google Scholar
  18. 18.
    Kalutarage, H.K., Shaikh, S.A., Zhou, Q., James, A.E.: How do we effectively monitor for slow suspicious activities? In: Proceedings of the International Symposium on Engineering Secure Software and Systems (ESSoS-DS 2013) CEUR Workshop Proceedings (2013),
  19. 19.
    Mitropoulos, S.: Network forensics: towards a classification of traceback mechanisms. In: Workshop of the 1st International Conference on Security and Privacy for Emerging Areas in Communication Networks (2005)Google Scholar
  20. 20.
    NS3 Development Team, Ns3 discrete-event network simulator for internet systems (2011),
  21. 21.
    ProQueSys, Flowtraq, for effective monitoring, security, and forensics in a network environment (December 2012),
  22. 22.
    Schultz, E.E., Shumway, R.: Incident response: A strategic guide for system and network security breaches Indianapolis. New Riders (2001)Google Scholar
  23. 23.
    Smith, A.F.M.: Present position and potential developments: Some personal views bayesian statistics. Journal of the Royal Statistical Society 147(2), 245–259 (1984)zbMATHCrossRefGoogle Scholar
  24. 24.
    Stefan, S., David, W., Anna, K., Tom, A.: Network support for ip traceback. IEEE/ACM Transactions on Networking 9(3), 226–237 (2001)CrossRefGoogle Scholar
  25. 25.
    Stone, R.: CenterTrack: An IP overlay network for tracking DoS floods. In: USENIX Security Symposium (2000)Google Scholar
  26. 26.
    Streilein, W.W., Cunningham, R.K., Webster, S.E.: Improved detection of low profile probe and novel denial of service attacks. In: Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection (2002)Google Scholar
  27. 27.
    Heberlein, T.: Tactical operations and strategic intelligence: Sensor purpose and placement. Net Squared Inc., Tech. Rep. TR-2002-04.02 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Harsha K. Kalutarage
    • 1
  • Siraj A. Shaikh
    • 1
  • Qin Zhou
    • 1
  • Anne E. James
    • 1
  1. 1.Digital Security and Forensics (SaFe) Research Group, Department of Computing, Faculty of Engineering and ComputingCoventry UniversityCoventryUK

Personalised recommendations