CERT® Coordination Center Research

Chapter 7

Classification of Internet Incidents and Internet Activity

As stated in Chapter 1, an attack is a single unauthorized access attempt, or unauthorized use attempt, regardless of success. A taxonomy of such attacks was presented in the previous chapter. An incident, on the other hand, involves a group of attacks that can be distinguished from other incidents because of the distinctiveness of the attackers, and the degree of similarity of sites, techniques, and timing. Because of these differences, a taxonomy of attacks is inadequate to classify actual Internet incidents, although it can be used to classify the attacks that are within an incident.

What we are really interested in, however, is even broader in scope: total Internet incident activity. A taxonomy of attacks is also inadequate to classify this total Internet activity. In some sense, the classification of an attack indicates something about the type or quality of an incident. What is also needed is some measure of quantity or severity that distinguishes incidents from one another, and when accumulated, gives an indication of overall Internet security.

This chapter discusses several alternative methods of classifying incidents both by using the taxonomy of attacks to give some indication of the type or quality of the incident, and with quantitative measures that indicate the severity of an incident, and of total Internet activity. At the most basic level, Internet activity is indicated by the number of incidents reported. Reporting date, however, is an inaccurate representation of total activity because of the lack of information about quality, time, duration, number of sites, and severity. One improvement is to classify each incident according to the type of unauthorized access or unauthorized use characteristic of the incident. Normalizing the number of incidents to the size of the Internet also gives some indication of whether security is becoming relatively more or less of a problem. Sites per day is an alternative measure that includes duration and number of sites for an improved indication of Internet activity.

7.1. Number of CERT^®/CC Incidents

The number of incidents per year in the reconstructed CERT^®/CC incident records is shown in Figure 7.1. The 8 incidents shown in 1988 all took place in December. Figure 7.1 therefore shows a total of 4,567 incidents over a 7 year period. These incidents range from false alarms to large incidents involving break-ins at the root level.

The low number of incidents reported to the CERT^®/CC in 1989 perhaps indicates that the CERT^®/CC took some period of time to become established and well known. After this time, the number of incidents increased each year at a rate between 41% (1991 to 1992) and 62% (1993 to 1994). The exception to this took place between 1994 and 1995 when the number of incidents actually decreased slightly.

Figure 7.1. CERT^®/CC Incidents per Year

The change in the number of incidents over this period is seen more clearly in Figure 7.2, which shows the number of incidents by month. This figure shows a relatively steady increase through 1989 and 1990, a leveling off during 1991, and sharp increases at the beginning of 1992 and at the end of 1993. The monthly incident rate peaks in the early part of 1994 at around 140 incidents per month. This drops off to an average of around 100 per month by the middle of 1995. Beginning in 1992, Figure 7.2 also appears to show some indication of seasonal variation, with apparent peaks in the winters and lower rates in the summers.

Figure 7.2. CERT^®/CC Incidents by Month, 1989 - 1995

Although they use common approaches to reporting the numbers of incidents, neither Figure 7.1 nor Figure 7.2 is a good indication of the activity at the CERT^®/CC, or of security incidents on the Internet. There are several problems. First, the incidents were plotted according to the date they were reported to the CERT^®/CC. But the reporting date to the CERT^®/CC was often not the same date as the start of the actual incident. Sometimes an incident began on the same day it was discovered and reported. For other incidents, however, the actual beginning was well before it was discovered or reported. This could range from a few days to many months. This means that Figures 7.1 and 7.2 are an inaccurate representation of the incidents in time.

The other problems are more serious in that Figures 7.1 and 7.2 are based on the assumption that all the incidents are comparable - that they are all similar. This was in fact not the case. There were wide variations in duration, in the number of sites involved, and in the severity or success of the attack. With respect to duration, the incidents in the CERT^®/CC records varied considerably. Many lasted only a day or two, while others lasted weeks or months. In fact, the longest incident in the CERT^®/CC records lasted nearly two years. Although more than 60% of incidents involved only two sites (the attacking site and the attacked site), there was considerable variation in the number of sites involved in the other incidents, with the largest incident actually involving more than 1,500 sites. Finally, and perhaps most importantly, the severity of the incidents ranged widely, from false alarms, through unsuccessful attempts, to successful attacks at the account level, or successful attacks at a level with system privileges (the root level). This means that Figures 7.1 and 7.2 are an inaccurate representation of the incidents in duration, number of sites, and severity.

7.2. Classification of Incidents

Chapter 6, Figure 6.9, presents the taxonomy developed as part of this research. This taxonomy was used as a guideline to classify each incident (discussed in this section), and to extract data from each incident (discussed in Chapter 8). The information in the CERT^®/CC records was limited and, therefore, only a limited classification could be done. However, in 1992, CERT^®/CC personnel began to classify the incidents according to "Method of Operation" (MO). This aided significantly in the classification process. This MO field was a list of terms entered into all summary files which could be related to the taxonomy in two ways. First, it was generally used to describe the level to which unauthorized access was obtained at the site (along with the methods used to gain such access), or to describe the unauthorized use of the site (also along with methods used). As part of this research, incidents previous to 1992 were also classified using the same CERT^®/CC MO terms. The remainder of this section divides the total Internet activity reported to the CERT^®/CC into categories within the access block of the taxonomy (see Figure 6.9).

7.2.1. False Alarms - The broadest classification of CERT^®/CC incidents was into "actual" incidents, and "false alarms." Of the 4,567 incidents reconstructed from the CERT^®/CC records, 268 (5.9%) were determined to be false alarms. Typically in these false alarm incidents, a site reported some activity or anomaly that later proved not to be a security incident. Examples are a series of login attempts initially thought to be unauthorized, or anomalous system operation that later proved to be a local software bug or configuration error. Figures 7.1 and 7.2 included these false alarms, but they are plotted separately in Figure 7.3, which shows how small the number of false alarms was. They were, however, numerous enough (5%) to make the reduction in the number of actual incidents between 1994 and 1995 more pronounced, because the number of false alarms increased during this time, both in absolute numbers and as a percentage of total incidents.

Figure 7.3. CERT^®/CC Incidents and False Alarms per Year

Figure 7.4 shows the false alarms for each year as a percentage of total incidents. Unless otherwise noted, no false alarms are in any statistics or discussions in the remainder of this paper.

Figure 7.4. False Alarms as a Percentage of CERT^®/CC Incidents

7.2.2. Unauthorized Access Incidents

As stated in Chapter 6, the center of the connection between attackers and their objectives is the attacker's requirement for unauthorized access or unauthorized use. This is shown in Figure 6.6, which is expanded in Figure 7.5 to show the two types of successful unauthorized access: root-level, and account-level. Most of the 4,299 CERT^®/CC incidents were classified by CERT^®/CC personnel as either being an unauthorized access incident, or as being an unauthorized use incident (discussed in the next section). Incidents that were not classified by CERT^®/CC personnel were classified by reference to the text in the files for each incident.

Access
	Implementation Vulnerability	Unauthorized Access: Root break-in		Files
	Design Vulnerability	Account Break-in	Processes	Data in Transit
	Configuration Vulnerability	Unauthorized Use

Figure 7.5. Access for Attack

The unauthorized access incidents were classified into their degree of success in obtaining access. The category describing the highest level of access is root break-in, which indicated that unauthorized privileged access was successfully obtained through at least one attack during the incident (i.e., root-level access was obtained on at least one host involved). The next level of classification is account break-in, which indicated that unauthorized access to an account without privileged access was obtained through at least one attack during the incident (i.e., account-level access was obtained on at least one host involved). The final level of classification is access attempt, which indicated that access was attempted on at least one host, but no attempts were successful. This last category is not depicted in Figure 7.5 because it does not represent a successful path through the process.

These classifications have a wide variation in that a break-in or attempt could involve anywhere from one host to thousands of hosts, and from one site to hundreds of sites. But the classifications do give some indication of severity. An incident involving a root break-in was generally more severe than one that did not, and an incident that involved successful break-ins would certainly be considered more severe than one that involved only attempts.

Most of the CERT^®/CC incidents (89.3%) were classified in these access categories. Of these, 1,189 (27.7% of total incidents, 31.0% of access incidents) were classified as root break-ins, 1,034 (24.1% of total, 26.9% of access incidents) were classified as account break-ins, and 1,618 (37.6% of total, 42.1% of access incidents) were unsuccessful access attempts.

Figure 7.6. CERT^®/CC Access Incidents by Month Averaged Over Quarters

Figure 7.6 shows the average number of incidents per quarter for each of the three access categories. The number of root break-ins per month reported to the CERT^®/CC showed a steady increase until it peaked in the first quarter of 1994. In 1994 and 1995, the average number of root break-ins per month reported the CERT^®/CC was around 30. The rate at which lower-level account break-ins were reported was roughly the same as for root break-ins. Account break-ins, however, didn't reach a peak until the first quarter on 1995. The average during 1994 and 1995 was around 20 account break-ins per month reported to CERT^®/CC. Although there are some similarities for attempts, there are interesting differences. Between the second quarter of 1990 to the third quarter of 1991, there is a significant peak, and the peak at the beginning of 1994 is significantly larger. Perhaps these indicate periods of increased "amateur" activity (but this is only speculation).

Figure 7.7. CERT^®/CC Access Incidents per 100,000 Domains by Month Averaged Over Quarters

A comparison to the size of the Internet presents a different picture as shown in Figures 7.7 and Figure 7.8. For Figure 7.7, the growth in Internet domains (discussed in Chapter 2) was used to determine the average incidents per month per 100,000 Internet domains (averaged over quarters). If the rate of attacks matched the growth of Internet domains, we would expect to see a steady average. Instead, peaks occurred in 1990-1991, and 1993-1994, and there was a steady decline after the beginning of 1994.

Figure 7.8. CERT^®/CC Access Incidents per 10,000,000 Hosts by Month Averaged Over Quarters

A simple linear least squares fit to these data can determine whether, relative to the size of the Internet, the frequency of incidents in these categories are increasing or decreasing. Regressions of the three curves in Figure 7.8 reveal that, relative to the growth in Internet domains, each of these access categories is increasing. All of the slopes were found to be statistically greater than zero (a = 1%). Root-level break-ins were found to be increasing at a rate around 36% greater than the increase in Internet domains (R² = 90.1%). Account-level break-ins were increasing at a rate around 28% greater (R² = 75.8%), and access attempts at a rate around 29% greater (R² = 63.6%).

The pattern shown in Figure 7.7 may, however, have been influenced by the reduction in the number of Internet Hosts per Internet domain after 1993 (shown in Figure 2.7). For Figure 7.8, the growth in Internet hosts (see Chapter 2) was used to determine the average incidents per month per 10,000,000 Internet hosts. Again, if the rate of attacks matched the growth of Internet hosts, we would expect to see a steady average. Instead, we see a steady, although gradual, decrease in break-ins and access attempts from 1990 through 1995, with a large peak in attempts in 1990.

Simple linear regressions of the three curves in Figure 7.8 reveal that, relative to the growth in Internet hosts, each of these access categories was decreasing. All of the slopes were found to be less than zero (a = 1%). Root-level break-ins were found to be decreasing at a rate around 19% less than the increase in Internet hosts (R² = 16.1%). Account-level break-ins were decreasing at a rate around 11% less (R² = 14.3%), and access attempts at a rate around 17% less (R² = 24.2%).

Figure 7.9. CERT^®/CC Successful Access Incidents by Month Averaged Over Quarters

Figure 7.8, therefore, indicates that, relative to the number of hosts on the Internet, access incidents reported to the CERT^®/CC gradually decreased over the period of this research. The relative increases compared to the number of domains shown in Figure 7.8 were probably the result of the decrease in the average number of hosts in each domain (see Chapter 2).

The successful root-level and account-level break-ins are combined in Figure 7.9, which shows steady increases in successful access attacks through the beginning of 1994. In 4 of the 7 years, there appears to be a seasonal pattern, with apparent peaks during the winter months. The actual correlation between the month and the number of incidents, however, was only 7%.

Figure 7.10. CERT^®/CC Successful Access Incidents per 10,000,000 Hosts by Month Averaged Over Quarters

The pattern looks significantly different when normalized to the number of Internet hosts as shown in Figure 7.10. This shows that the number of incidents with successful attacks declined from 1990 through 1995. A simple linear least squares fit revealed the growth in successful access incidents to be around 14% less than the growth rate of Internet hosts (a = 1%, R² = 22.0%).

7.2.3. Unauthorized Use Incidents - As stated above, the majority of the 4,299 CERT^®/CC incidents were classified by CERT^®/CC personnel as being unauthorized access incidents. As shown in Figure 7.5, and discussed in Chapter 6, attackers may also be able to obtain their objectives through the unauthorized use of systems which they have access to. Of the 4,299 actual incidents reported to the CERT^®/CC, 458 (10.7%) were classified as unauthorized use incidents.

In order to gain further insight, the unauthorized use incidents were further classified into three other categories under the results block of the taxonomy (see Figure 6.9). The first of these categories is denial-of-service attacks. There were 104 denial-of-service incidents reported to the CERT^®/CC, which represented 22.7% of unauthorized use incidents, and 2.4% of all incidents. Chapter 11 discusses these denial-of-service incidents in more detail.

The second classification of unauthorized use incidents is corruption of information. There were 135 unauthorized use incidents reported to the CERT^®/CC having results in this category, which represented 29.5% of unauthorized use incidents, and 3.1% of all incidents. Most of these incidents (127) involved mail spoofing, where the "from" address was falsified in an e-mail message, or more often in a series of messages. An additional 8 incidents involved disguising the source of other types of Internet packets.

These 135 corruption of information incidents could all be categorized as IP spoofing attacks. IP spoofing is a broad classification of techniques that are used to falsify the Internet Protocol (IP) address of Internet packets. IP spoofing can be used in two categories of attacks. First, IP spoofing can be used simply to disguise the source of an otherwise authorized use of Internet resources. When this was the case, these incidents were classified as unauthorized use incidents (corruption of information). On the other hand, IP spoofing is also a method which can be used to gain unauthorized access. When this was the case, these incidents were classified as unauthorized access incidents, which were discussed in the previous sections.

One additional source of confusion might be between mail spam and mail spoofing. Mail spam is the most common form of denial-of-service attack, as discussed in Chapter 11. One way this is accomplished is by sending repeated messages to a mail server with the intent of exceeding the capacity of the system. Attackers will often also use mail spoofing to falsify the "from" address when sending mail spam. Such incidents were classified as denial-of-service attacks. Mail spoofing incidents that did not involve denial-of-service attacks were classified as corruption of information incidents.

The final category of unauthorized use incidents is 219 disclosure of information incidents that were reported to the CERT^®/CC. These represented 47.8% of unauthorized use incidents, and 5.1% of all incidents. Nearly 80% (171) of these incidents involved the use of anonymous file transfer protocol (FTP) sites to deposit and transfer pirated software. CERT^®/CC personnel did not consider software piracy a security incident. They recorded the incidents that were sent to them, but they did not pursue these incidents in the same way that other security incidents were handled. Beginning in 1993, they generally handled these incidents by recording the incident, sending the reporting site a standard e-mail letter giving suggestions, and then closing the incident in the CERT^®/CC records.

The corruption of information incidents were categorized by CERT^®/CC personnel as follows:

171 software piracy, FTP abuse 4 FTP abuse (no software piracy)

17 mail abuse 2 account abuse/sharing

12 chain letter 1 credit card fraud

6 FSP abuse 1 mail fraud

5 IRC abuse ^_____

219 Total abuse incidents

Figure 7.11. CERT^®/CC Total Unauthorized Use Incidents by Month Averaged Over Quarters

The distribution of the unauthorized use incidents over time is somewhat different from the distribution of unauthorized access incidents. This can be seen in Figure 7.11, which shows the total unauthorized use incidents report to the CERT^®/CC. The unauthorized use incidents increased steadily until they peaked at the beginning of 1995.

Figure 7.12. CERT^®/CC Disclosure of Information Incidents by Month Averaged Over Quarters

This peak at the beginning of 1995 in Figure 7.11 is primarily the result of a significant peak in disclosure of information incidents at that time as shown in Figure 7.12. When normalized to the size of the Internet, however, the data in Figures 7.11 and 7.12 do not show this peak. Figure 7.13 shows the unauthorized use incidents per 10,000,000 hosts. Their frequency appears relatively constant. A simple linear least squares fit showed, however, that the slope of these data were positive (for a = 5%, but not for a = 1%). The growth in total unauthorized use incidents was around 9% per year greater than the growth in Internet hosts (R² = 11.5%).

Figure 7.13. CERT^®/CC Total Unauthorized Use Incidents per 10,000,000 Hosts by Month Averaged Over Quarters

The growth was more significant when the disclosure of information incidents are examined by themselves as shown in Figure 7.14, although it is interesting to note that these disclosure of information incidents appear more predominant in 1992 through 1994, than in 1995. A simple linear least squares fit did not show the slope of these data to be statistically different from zero.

Figure 7.14. CERT^®/CC Disclosure of Information Incidents per 10,000,000 Hosts by Month

Averaged Over Quarters

Figure 7.15. CERT^®/CC Denial-of-service Incidents by Month Averaged Over Quarters

A peak also occurred in denial-of-service incidents at the end of 1994 (Figure 7.15), although the decline in denial-of-service incidents in 1995 is less significant.

Figure 7.16. CERT^®/CC Denial-of-service Incidents per 10,000,000 Hosts by Month Averaged Over Quarters

The 1994 peak is again less significant when the denial-of-service incidents are normalized for the size of the Internet (Figure 7.16). The frequency of denial-of-service incidents was also significantly higher in 1990. Simple linear regression did not show the slope of the curve in Figure 7.16 to be significantly different from zero. Denial-of-service incidents are discussed more fully in Chapter 11. In Figures 7.15 and 7.16, only the 104 incidents that were classified as "denial-of-service" incidents were used. Denial-of-service methods were recorded, however, in an additional 39 incidents that were classified as root- or account-level break-ins. These additional incidents were included in the analysis in Chapter 11, which provided a statistically significant slope that showed an increase of around 50% per year. See Chapter 11 for more information.

Corruption of information incidents show the most unusual pattern. They were the only one of the six categories of incidents that showed an increase continuing through 1995, as shown in Figure 7.17. Figure 7.18 shows a slight increase in these incidents in relative terms from 1993 through 1995 when normalized to the size of the Internet. However, the most significant feature of Figure 7.18 is the relatively larger number of incidents from the end of 1989 through 1991.

Figure 7.17. CERT^®/CC Corruption of information Incidents by Month Averaged Over Quarters

A simple linear least squares fit did not show the slope of the curve for corruption of information incidents in Figure 7.18 to be significantly different from zero.

Figure 7.18. CERT^®/CC Corruption of Information Incidents per 10,000,000 Hosts by Month

Averaged Over Quarters

7.2.4. Inadequacies of this Classification - The incidents shown in Figures 7.1 and 7.2 were classified into types in Figures 7.6 through 7.18, which gives some indication of their severity. The other problems noted earlier, however, remain: 1) the incidents were plotted according the date they were reported to the CERT^®/CC, which was often not when they actually began, 2) the incidents were of variable duration, and 3) the incidents involved different numbers of sites. This problem is discussed further in Section 7.3, where an alternate measure of severity is presented.

7.3. An Alternate Measure of Severity

An alternative method of presenting the CERT^®/CC incident information was developed for this research. For each incident, the average sites per day were calculated using the starting date, ending date and the total number of sites involved. These were then combined through the use of a custom computer program to find the total average sites per day for each classification of attack.

Using sites per day to present the CERT^®/CC incident information takes into consideration the beginning and the end of an incident, as well as the number of sites involved. The classification of the incidents can be taken into consideration by examining separate groups of incidents. One inaccuracy with this approach is introduced by averaging the number of sites involved over the number of days in the incident. For this to be accurate, the involvement of all attackers and all sites must have been constant over the duration of the incident. This was generally not the case. Both in terms of the attackers and the sites, the involvement generally appeared much greater toward the beginning of an incident than it is toward the end. There was not, however, enough information in the CERT^®/CC records to either determine the extent of this inaccuracy, or to compensate for it.

7.4. Sites per Day Recorded in the CERT^®/CC Incidents

Figure 7.19 plots the sites per day for all incidents reported to the CERT^®/CC. The most pronounced feature of this figure is the large "spike" in sites per day near the beginning of 1994. There are also smaller, but obvious spikes in 1995.

Figure 7.19. CERT^®/CC Sites per Day - All Incidents

With the spikes in Figure 7.19 it is difficult to determine trends in the remaining data. These data can be smoothed by averaging over each month (Figure 7.20) or over each quarter (Figure 7.21). Even with this smoothing, however, there remains a large spike in the number of sites per day in February, 1994. This will be investigated further in Chapter 8, which discusses large incidents. It appears that the large spike in February, 1994 may explain the drop in incidents seen between 1994 and 1995. Other than this spike, both Figure 7.20 and 7.21 show smooth increases in sites per day through the first half of 1995.

Figure 7.20. CERT^®/CC Sites per Day - All Incidents, Averaged Over Months

Figures 7.20 and 7.21, however, appear to indicate a significant drop in the number of sites per day during the last half of 1995. This drop is less pronounced when only the successful access attacks are included (root and account-level break-ins). This is the case in Figures 7.22 and 7.23. In these Figures there are large spikes in February, 1994 and June, 1995. There is also a relatively smooth increase in sites per day in the rest of the data. There was not, however, much of a drop-off in incidents until the last quarter of 1995.

Figure 7.21. CERT^®/CC Sites per Day - All Incidents, Averaged Over Quarters

One interesting thing to note in Figures 7.20 to 7.23 is that there is very little evidence of seasonality. Earlier figures present the reporting dates of incidents to the CERT^®/CC, which match or are near the starting date of the incidents. The differences between these Figures seem to indicate that initiation of incidents may have slight seasonality, with more incidents starting after the beginning of the calendar year. The total activity, measured by the sites involved in security incidents each day, seems to show little or no seasonal variation.

Figure 7.22. CERT^®/CC Sites per Day - Root and Account Break-ins, Averaged Over Months

The final two figures of this chapter show the data from Figures 7.21 and 7.23 (the sites per day data averaged over quarters) normalized for the size of the Internet. Figures 7.24 and 7.25 show a steady decline in security activity reported to the CERT^®/CC, compared to the size of the Internet, since peaking in 1990. The decline is not as pronounced in Figure 7.25 which shows the sites per day for successful root- and account-level break-ins. This may reflect a decline in the reporting of unsuccessful attacks compared to successful attacks. This is discussed further in Chapter 12 which estimates the total number of Internet incidents.

Figure 7.23. CERT^®/CC Sites per Day - Root and Account Break-ins, Averaged Over Quarters

Figure 7.24. CERT^®/CC Sites per Day per 10,000,000 Hosts - All Incidents, Averaged Over Quarters

It is interesting to note that all presentations of sites per day, including Figures 7.24 and 7.25 show the large peak in the first quarter of 1994. This appears to involve one or more large incidents. This is discussed further in Chapter 10 which examines severe incidents.

Figure 7.25. CERT^®/CC Sites per Day per 10,000,000 Hosts - Root and Account Break-ins, Averaged Over Quarters

A simple linear least squares fit showed the slope of the growth in all sites per day for all incidents (Figure 7.24) and for successful break-ins (Figure 7.25) were both around 7% less than the growth rate of Internet hosts (a = 1%, R² = 7.66% Figure 7.24, R² = 9.39% Figure 7.24).

7.5. Summary of the Classification of Internet Incidents and Internet Activity

A total of 4,567 incidents over this 7 year period were reconstructed from the CERT^®/CC records. This included 268 false alarms (5.9%), and 4,299 actual incidents (94.1%) ranging from login attempts to large incidents involving break-ins at the root level. The number of incidents increased each year at a rate between 41% (1991 to 1992) and 62% (1993 to 1994). The exception to this took place between 1994 and 1995 when the number of incidents decreased slightly.

The number of incidents reported to the CERT^®/CC was not a good indication of either the activity at the CERT^®/CC, nor of security incidents on the Internet because 1) the incidents were presented according to reporting date, which is an inaccurate representation of the incidents in time, and 2) the incidents were not comparable due to wide variations in duration, in the number of sites involved, and in the severity or success of the attack.

As stated in Chapter 6, the center of the connection between attackers and their objectives is the attacker's requirement for unauthorized access or unauthorized use. Most of the CERT^®/CC incidents (89.3%) were unauthorized access incidents, which were further classified into their degree of success in obtaining access: root break-in (27.7%), account break-in (24.1%), and access attempts (37.6%). Relative to the growth in Internet hosts, each of these access categories was found to be decreasing over the period of this research: root-level break-ins at a rate around 19% less than the increase in Internet hosts, account-level break-ins at a rate around 11% less, and access attempts at a rate around 17% less.

Of the 4,299 actual incidents reported to the CERT^®/CC, 458 (10.7%) were classified as unauthorized use incidents. These were further classified into denial-of-service attacks (2.4%), corruption of information incidents (3.1%), and disclosure of information incidents (5.1%). The growth in total unauthorized use incidents was around 9% per year greater than the growth in Internet hosts.

The sites per day data showed there was a steady decline in security activity reported to the CERT^®/CC, compared to the size of the Internet, since peaking in 1990. The slope of the growth in all sites per day for all incidents, and for root and account-level break-ins were both around 7% less than the growth rate in the number of Internet hosts.

Back to the Table of Contents

[7]