Evaluating a Dynamic Internet Threat Monitoring Method for Preventing PN Code-Based Localization Attack

The Internet threat monitoring systems are developed to grasp malicious activities on the Internet. Those systems consist of a data center and sensors deployed on the Internet. Sensors capture malicious packets and report to the data center. The data center investigates the latest trend of attacks by analyzing those packets and the result is open to the public. To publish precise monitored results, sensors are deployed in secret and hidden from outside. On the other hand, attackers intend to detect sensors for evading them. This attack is known as localization attacks to Internet threat monitoring systems. Recent localization attacks adopting PN code is sophisticated and effective countermeasure is not developed yet. Therefore, we propose a dynamic Internet threat monitoring method. This method switches sensors whose monitored results that reflect to published results in a data center as a countermeasure for PN code-based localization attack. We evaluated our method from the aspect of tolerance to the attack by applying raw captured packets provided by nicter. Meanwhile, the existing systems always publish monitored results reported by whole sensors. Therefore, the information that our method provides would decrease compared to that of the existing systems. However, we show that the decrease of information is sufficiently small.