EPSRC logo

Details of Grant 

EPSRC Reference: EP/C532635/1
Title: Understanding Internet Attacks
Principal Investigator: Parish, Professor D
Other Investigators:
Researcher Co-Investigators:
Mr P Sandford
Project Partners:
Department: Electronic, Electrical & Systems Enginee
Organisation: Loughborough University
Scheme: Standard Research (Pre-FEC)
Starts: 15 August 2005 Ends: 14 December 2007 Value (£): 56,845
EPSRC Research Topic Classifications:
Networks & Distributed Systems
EPSRC Industrial Sector Classifications:
Aerospace, Defence and Marine Communications
Related Grants:
Panel History:  
Summary on Grant Application Form
There is a pressing need to prevent Internet based crime. This area of criminal activity takes many forms, but is always characterised by its fast changing nature. Cyber criminals and hackers regularly modify attacks and develop new worms. A major requirement in dealing with this type of crime therefore is to have up to date information about these new activities as soon as possible. Network security specialists can then start to prepare or improve protection mechanisms for networks and their host computers. A big problem is how do we find out what the latest attacks look like in network terms? One way of achieving to this is to place special computers in the Internet which can be attacked by the real attackers, but in a controlled manner. These machines would appear to the cyber criminal just like any other computer on the Internet. However, they would be able to capture details of the attacks and record them for further analysis. These special machines would also be limited in the damage which they could do to other parts of the Internet. This approach is taken by the HoneyNet project which is a multi-national initiative to study Internet crime and takes a practical, measurement-based approach to the identification of such activity. The first part of this research activity is to operate and maintain a group of such nodes which have already been set up for this purpose. However, the current systems are rather complex and costly to maintain. This is partly because they generate a significant volume of data all of which by definition is suspect and therefore has to be analysed manually by a computer expert. Much of this data is not very useful for fighting Internet crime. This is because a lot of the traffic which the special computers will capture is generated by known attack tools; it's not from new attacks. The interesting traffic, at least from the perspective of the network security community, would represent new activity, or serious crime attempts. Advanced data processing mechanisms are therefore required to identify the traffic which is potentially interesting and pass only this to the network security analysts for human investigation.The main part of this research proposal therefore is to investigate low cost approaches to Internet abuse monitoring and the data processing which is required to make such systems usable with the minimum amount of human involvement. Data mining techniques, including Case Based Reasoning, Neural Network and signature analysis approaches will be investigated in this part of the work. These processes allow sets of data to be investigated automatically in order to discover trends and characteristics which may identify one section of the data as being different from the rest. As a simple example, consider the presence of spelling mistakes or long gaps in time between messages. Such characteristics could be indicative of a human attacker rather than an automated attack tool. The spelling mistakes may suggest that the attacker is not very experienced. Such information could then help to identify the most promising captured traffic for detailed analysis by a human investigator. Valuable information about new and serious Internet abuse will be generated by the work and this will be made available to the network security community via the international HoneyNet dissemination mechanisms. This information will also be passed to CESG (Communications Electronic Security Group - a Government Agency associated with GCHQ ) who will use it to improve security advice and countermeasures for communication networks.
Key Findings
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Potential use in non-academic contexts
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Description This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Date Materialised
Sectors submitted by the Researcher
This information can now be found on Gateway to Research (GtR) http://gtr.rcuk.ac.uk
Project URL:  
Further Information:  
Organisation Website: http://www.lboro.ac.uk