Self-similar characteristics of network intrusion attempts and the implications for predictability

Abstract

One way of proactively detecting multistage attacks such as Distributed Denial of Service (DDoS), worms and coordinated spamming is to profile hosts that engage in scanning activity and predict their future actions, which is a difficult challenge. We attempt to better understand this challenge by hypothesising that network intrusion attempts exhibit self-similar characteristics. We analyse logs from the DShield repository of globally distributed IDS alerts corresponding to the first 2 weeks of January 2005 and present three pieces of evidence in favour of this hypothesis. First, we observed that the persistence of hosts that attempt network intrusions obey a power-law relationship such that ..