Upon success, certain network attacks manifest by causing the victim host to change its network-visible connection ehavior, such as by starting a new service that the attacker probes to confirm success, "phoning home" to a host ontrolled by the attacker, or further propagating the attack (e.g., worms or spam relays). One characteristic of such change in network behavior is the presence of unusual causal relationships between connections. Based on this observation, we develop a statistical test that a network monitor can use to identify these causal relationships, and an accompanying set of filtering mechanisms to winnow down the full set of causal relationships to those that are unexpected. We evaluate our mechanism on two large Internet traces, finding that while its detection is incomplete (non-negligible false negatives), it unearths numerous instances of interesting activity. We also find that the rate of false alarms, while not low enough to enable automatic responses to intrusions, is only a few tens per day for a busy site that sees over 2.5~million connections a day.




Download Full History