While the number and variety of hazards to computer security have increased at an alarming rate, the proliferation of tools to combat this threat has not grown proportionally. Similarly, most tools currently rely on human
intervention to recognize and diagnose new threats. We propose a general framework for identifying hazardous computer transactions by analyzing key metrics in network transactions. While a thorough determination of the particular traits to track would be a product of the research, we hypothesize that some or all of the following variables would yield high correlations with certain undesirable network transactions: Source Address Destination Address/Port Packet Size (overall, header, payload) Packet Rate (overall, Source, Destination, Source/Destination) Transaction Frequency (per Address) By examining statistical correlations between these variables we hope to be able to distinguish - and normalize for changes over time - a healthy network from one that is being attacked or performing an attack. Central to this research is that the class information we are analyzing is available without intervention on the participants of the network transactions, and, in reality, can be performed without their knowledge. This characteristic has the potential to allow Internet service providers or corporations the ability to identify threats without large-scale deployment of some kind of intrusion detection mechanism on each system. Furthermore combining the ability to identify existence and source of a network threat with common network hardware automatic configuration abilities allows for
rapid reaction to attacks by shutting down connectivity to the originators of the exploit. This paper will detail the design of a set of tools - dubbed Culebra - capable of remotely diagnosing troubled networks. We will then simulate an
attack on a network to gauge the effectiveness Culebra. Ultimately, the type of data gathered by these tools can be used to develop a database of attack patterns, which, in turn, could be used to proactively prevent assaults on networks from remote locations. UMIACS-TR-2002-74