The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)
Center for Education and Research in Information Assurance and Security

An Analysis of Security Incidents on the Internet 1989-1995

Author

John D. Howard

Entry type

phdthesis

Abstract

This research analyzed trends in Internet security through an investigation of 4,299 security-related incidents on the Internet reported to the CERT Coordination Center (CERT / CC) from 1989 to 1995. Prior to this research, our knowledge of security problems on the Internet was limited and primarily anecdotal. This information could not be effectively used to determine what government policies and programs should be, or to determine the effectiveness of current policies and programs. This research accomplished the following: 1) development of a taxonomy for the classification of Internet attacks and incidents, 2) organization, classification, and analysis of incident records available at the CERT/CC, and 3) development of recommendations to improve Internet security, and to gather and distribute informatioin about Internet security. With the exception of deniel-of-srvice attacks, security incidents were generally found to be dcreasing relative to the size of the Internet. The probability of any severe incident not being reported to the CERT/CC was estimated to be between 0% and 4%. The probability that an incident would be reported if it was above average in terms of duration and number of sites, was around 1 out of 2.6. Estimates based on this research indicated that a typical Internet domain was involved in no more than around one incident per year, and a typical Internet host in around one incident every 45 years. The taxonomy of computer and network attacks developed for this research was used to present a summary of the relative frequency of various methods of operation and corrective actions. This was followed by an anaysis of three subgroups: 1) a case study of one site that reported all incidents, 2) 22 incidents that were identified by various measures aas being the most severe in the records, and 3) denial-of-service incidents. Data from all incidents and these three subgrups were used to estimate the total Internet incident activity during the period of the research. This was followed by a critical evaluation of the utility of the taxonomy developed for this research. The analysis concludes with recommendations for Internet users, Internet suppliers, response teams, and the U.S. government.

Date

1997 – April – 7

Address

Pittsburg, PA 15213

Institution

Carnegie-Mellon University

Publication Date

1900-01-01

Contents

1. Introduction 2. Internet Characteristics 3. CERT/CC History and Policies 4. CERT/CC Records 5. A Formal Definition of Computer Security 6. A Taxonomy of Computer and Network Attacks 7. Classification of Internet Incidents and Internet Activity 8. Methods of Operation and Corrective Actions 9. Case Study - Site A 10. Severe Incidents 11. Denial-of-Service Incidents 12. Estimates of the Total Internet Incident Activity 13. The Utility of the Taxonomy of Computer and Network Attacks 14. Policy Implications and Recommendations 15. Future Research 16. Conclusions and Recommendations

Location

A hard-copy of this is in REC 216

BibTex-formatted data

To refer to this entry, you may select and copy the text below and paste it into your BibTex document. Note that the text may not contain all macros that BibTex supports.