A Study on Noise-Tolerant PN Code-Based Localization Attacks to Internet Threat Monitors by Exploiting Multiple Ports

Internet threat monitoring systems are studied and developed to comprehend the malicious activities on the Internet. On the other hand, it is known that attackers devise a technique that locates the deployment of sensors that constitute the monitoring system. This technique is called as localization attacks to Internet threat monitors. If attackers can detect sensors, they can evade them when they initiate the malicious activities. The latest method can detect sensors with low probing traffic volume compared with the previous one because it adopts PN (Pseudo Noise) code-based scheme inspired from the spread spectrum technology. However, when other monitoring packets interfere as a strong noise, the detection accuracy of the method decreases. For this reason, we need to make elaborate preparations under the assumption that attackers improve the PN code-based method to boost resistance to a strong noise by exploiting multiple ports, rather than by a single port for detecting a sensor. Therefore, we devised the noise-tolerant PN code-based localization attack from a standpoint of attackers for the security research. Performance evaluation was conducted based on the real Internet monitoring dataset. In this paper, we show the detection accuracy and the stealthiness of our devised method compared with the existing one.