Abstract
This research analyzed trends in Internet security through an investigation of 4,299 security-related incidents on the Internet reported to the CERT Coordination Center (CERT / CC) from 1989 to 1995. Prior to this research, our knowledge of security problems on the Internet was limited and primarily anecdotal. This information could not be effectively used to determine what government policies and programs should be, or to determine the effectiveness of current policies and programs. This research accomplished the following: 1) development of a taxonomy for the classification of Internet attacks and incidents, 2) organization, classification, and analysis of incident records available at the CERT/CC, and 3) development of recommendations to improve Internet security, and to gather and distribute informatioin about Internet security.
With the exception of deniel-of-srvice attacks, security incidents were generally found to be dcreasing relative to the size of the Internet. The probability of any severe incident not being reported to the CERT/CC was estimated to be between 0% and 4%. The probability that an incident would be reported if it was above average in terms of duration and number of sites, was around 1 out of 2.6. Estimates based on this research indicated that a typical Internet domain was involved in no more than around one incident per year, and a typical Internet host in around one incident every 45 years.
The taxonomy of computer and network attacks developed for this research was used to present a summary of the relative frequency of various methods of operation and corrective actions. This was followed by an anaysis of three subgroups: 1) a case study of one site that reported all incidents, 2) 22 incidents that were identified by various measures aas being the most severe in the records, and 3) denial-of-service incidents. Data from all incidents and these three subgrups were used to estimate the total Internet incident activity during the period of the research. This was followed by a critical evaluation of the utility of the taxonomy developed for this research. The analysis concludes with recommendations for Internet users, Internet suppliers, response teams, and the U.S. government.
Contents
1. Introduction
2. Internet Characteristics
3. CERT/CC History and Policies
4. CERT/CC Records
5. A Formal Definition of Computer Security
6. A Taxonomy of Computer and Network Attacks
7. Classification of Internet Incidents and Internet Activity
8. Methods of Operation and Corrective Actions
9. Case Study - Site A
10. Severe Incidents
11. Denial-of-Service Incidents
12. Estimates of the Total Internet Incident Activity
13. The Utility of the Taxonomy of Computer and Network Attacks
14. Policy Implications and Recommendations
15. Future Research
16. Conclusions and Recommendations