Nearly 10% of all incidents in the CERT^®/CC records from November, 1988 through December, 1995 involved one Internet site, which was termed Site A. This Chapter presents an analysis of CERT^®/CC incidents reported to have involved Site A. The analysis proceeded in a parallel manner with the analysis presented in Chapter 7. This allowed comparisons between the incidents at Site A, and all incidents. The chapter begins with a description of Site A.

9.1. Description of Site A

Site A is a university located in the United States. It has around 30,000 users at its main campus. The number of hosts at Site A from 1989 through 1995 was not available in the CERT^®/CC records, but it could be estimated using information from the current system administrator. Site A is a class B Internet network divided into subnetworks. At the end of 1996 the site administrator indicated that half of the subnetworks were near maximum capacity for IP addresses. If we assume these subnetworks have 90% of the addresses assigned in half the subnetworks, and 25% in the remaining, this would indicate approximately 38,000 assigned addresses near the end of 1996. The actual number of hosts on the network was probably less than that number (see Chapter 2), but the number is an approximation to the upper limit.

The system administrator was able to indicate how the number of router/gateway hosts changed over the period of interest. This was used for estimating the change in the number of hosts. These estimates are given in Table 9.1. The upper limits were determined by starting with 38,000 as the number of hosts in 1996, and then using the number of router/gateway hosts to project this number to the earlier years. The assumption was made that the number of hosts was proportional to the number of router/gateway hosts. The lower limits in Table 9.1 represent approximately 75% of the upper limit.

9.2. Site A Reporting Criteria

Since their first contact with the CERT^®/CC in 1989, the systems administrators at Site A routinely reported all security incidents involving the Internet. Site administrators made it a practice to contact sites that were the source of intrusions or intrusion attempts. These messages were copied to the CERT^®/CC. Security incidents that were internal to Site A were not reported to the CERT^®/CC.

Some of the criteria Site A used for determining whether an incident would be reported to the CERT^®/CC included:

a) repeated login attempts (5 or more),

b) root login attempts,

c) attempts to exploit known vulnerabilities.

The CERT^®/CC records show that until around 1992, several sites apparently were routinely reporting all incidents to the CERT^®/CC. Site A was the only Internet site that continued to report all Internet security incidents to CERT^®/CC after 1992.

9.3. Classification of Site A Incidents

As stated earlier, including false alarms, there were 4,567 incidents reconstructed from the CERT^®/CC records. Of these, 443 incidents (9.7%) were either reported by Site A, or otherwise involved Site A.

9.3.1. False Alarms - The Site A incidents represent nearly 10% of the CERT^®/CC incidents. Of these incidents, 6 (1.4%) were determined to be false alarms. This was well below the average of 5.9% for all incidents. The relationship of false alarms to incidents is shown in Figure 9.1. This shows peaks in the number of in 1990 and 1994.

The percentage of false alarms at Site A matched the rate for all incidents in 1991 (see Figure 7.4). In later years, the rate of false alarms at Site A was significantly lower than for all incidents. For example, in 1995, the rate of false alarms for all incidents was 8.5%, but only 2.5% at Site A. The correlation between the rate of false alarms at Site A and for all sites was only 20%. The small number of false alarms at Site A indicate their administrators either learned from experience, or were otherwise better able to distinguish between actual incidents and false alarms. False alarms were not included in the remaining analysis of Site A, unless otherwise indicated.

Figure 9.3. plots incidents per month for at Site A. This figure shows considerable difference with Figure 7.2, which plots the same information for all incidents. Like Figure 7.2, the Site A incidents peak in 1994. But Site A incidents do not show a sharp increase in 1992, nor a level off near the 1994 peak, as Figure 7.2 shows for all incidents. The correlation between incidents per month for Site A and all incidents was 76%. It is interesting, however, to note that the correlation is higher for incidents from 1988 through 1993 (73%) than for incidents from 1994 through 1995 (57%).

9.3.2. Unauthorized Access Incidents at Site A

Most of the Site A incidents (412 incidents, 94.3% of Site A incidents) were classified as access incidents. Of these, 30 (6.9% of Site A incidents, 7.3% of access incidents) were classified as root break-ins, 61 (14.0% of Site A total, 14.8% of access incidents) were classified as account break-ins, and 321 (73.5% of total, 77.9% of access incidents) were unsuccessful access attempts (see Table 9.2).

Figure 9.4 shows the average number of incidents per quarter at Site A for each of the three access categories. Unlike Figure 7.6, which shows the data for all incidents, the frequency of account and root level break-ins does not appear to show a steady increase. Access attempts, however, have a similar pattern in both figures. They both show significant peaks in activity in 1990-1991 and the first half of 1994. The correlation between the occurrence of access attempts at Site A and the occurrence for all incidents was 80%, while the correlations for root break-ins (49%) and account break-ins (53%) were considerably less.

In Figure 9.5, as in Figure 7.7, the frequency of access incidents was normalized to the growth of Internet domains. If the frequency of access incidents matched the growth of Internet domains, we would expect to see a steady average. Instead, we see significant variation in root and account level break-ins. For access attempts, peaks occur in 1990-1991, the end of 1992, and the beginning of 1994. The most notable difference between Figures 9.5 and 7.7 is that in Figure 7.7, the peak in access attempts from 1990-1991 is higher than the 1994 peak, which is not the case in Figure 9.5. A simple linear least squares fit showed none of the curves in Figure 9.5 had slopes statistically different from zero.

As noted in Chapter 7, the patterns shown in Figures 7.7 and 9.5 may be influenced by the reduction in the number of Internet hosts per Internet domain after 1993. In Figures 7.8 and 9.6, the growth in Internet hosts was used to determine the average incidents per month per 10,000,000 Internet hosts. Again, if the rate of attacks matched the growth of Internet hosts, we would expect to see a steady average. In Figure 9.6 we instead see what appears to be a steady decline in root and account level break-ins from peaks in 1990. Access attempts show peaks in 1990 and 1994. These are similar to those found in Figure 7.8. A simple linear least squares fit showed that the slope for neither the access attempts nor the root break-ins were statistically different from zero. The slope for account break-ins was statistically significant (a = 5%), showing that account break-ins at Site A grew over this period at a rate around 23% less than the growth of Internet hosts (R² = 6.83%).

The successful root and account level break-ins are combined in Figure 9.7, as was done in Figure 7.9. Figure 9.7 shows more variation than Figure 7.9, as well as stronger seasonal variation. Five of the seven years in Figure 9.7 show more incidents in the first half of the year than in the second half. All the incidents (Figure 7.9), however, only showed a 7% correlation with month. The correlation was higher for Site A at 23%, although the effect was still not very large. The increase may result from the fact that Site A is a university with less students in the summer.

The overall pattern of access incidents looks different in Figure 9.8, which has the same data normalized to the number of hosts on the Internet (comparable to Figure 7.10). There was a strong peak when Site A first began reporting to the CERT^®/CC, which was followed by a steady decline. A simple linear least squares fit showed that successful access incidents at Site A increased at a rate around 20% less than the growth of Internet hosts (a = 1%, R² = 20.3%).

9.3.3. Unauthorized Use Incidents at Site A

Only a few of the Site A incidents (25 incidents, 5.7% of Site A total) were classified as unauthorized use incidents. Of these, 13 (3.0% of Site A total, 52.0% of use incidents) were classified as disclosure of information incidents, 6 (1.4% of Site A total, 24.0% of use incidents) were classified as denial-of-service incidents, and 6 (1.4% of Site A total, 24.0% of use incidents) were classified as corruption of information incidents. Table 9.3 summarizes the Site A unauthorized use incidents.

The small number of unauthorized use incidents makes accurate comparisons difficult between Site A and all incidents. It is still useful, however, to make the comparisons in order to see if there are significant, or important differences. The distribution of unauthorized use incidents at Site A was highly variable as shown in Figure 9.9, as compared to Figure 7.11 for all incidents. Both Figures, however, show increases in absolute numbers over the period.

When these data are normalized for the number of Internet hosts, a significant difference does emerge. For all incidents, as shown in Figure 7.13, the frequency of unauthorized use incidents was relatively constant. This was not the case with similar incidents at Site A, which Figure 9.10 shows decreased steadily over the period relative to the size of the Internet. This difference is reflected in a relatively low correlation between the frequency of incidents at Site A and for all incidents (45%).

A simple linear least squares fit did not show the slope of the curve in Figure 9.10 to be significantly different from zero. This would be expected with the small sample size.

The 13 unauthorized use incidents that were classified as disclosure of information incidents are shown in Figure 9.11. The rate in this Figure appears to be relatively constant after they began in 1992. This should indicate that, relative to the size of the Internet, these incidents have decreased.

This is confirmed in Figure 9.12. The sample size was small and the slope was not statistically different from zero. What patterns are seen in Figures 9.12 and 9.13 seem to differ from the pattern in Figures 7.12 and 7.14. These earlier figures show that, for all incidents, in absolute terms, there was a steady increase, and a relatively constant frequency compared to the size of the Internet.

There were only 6 denial-of-service incidents at Site A, which are plotted in absolute terms in Figure 9.13, and relative to the size of the Internet in Figure 9.14. These figures, along with figures 7.15 and 7.16 for all incidents, indicate the highest relative period for denial-of-service incidents was 1990. The small sample size, however, meant that the slope of the curve in Figure 9.14 was not statistically different from zero. At Site A, generally, denial-of-service did not appear to have been a significant problem during the period of this study.

Of these six denial-of-service incidents at Site A, the first incident involved an attack against an Internet application. This was the same method used in once incident in 1995.

The second incident at Site A involved the use of mail spam, which indicates multiple e-mail messages were used in order to try to overwhelm a system's disk storage capacity. The 1993 incident, as well as the last incident at Site A (1995) both involved ICMP bombs, which overwhelm the network's control message protocol. The method of attack for the incident at the beginning of 1995 was a talk bomb, which is used to send ANSI escape sequences to a system in order to modify the file controlling the monitor display on a host computer. The final category of unauthorized use incidents is corruption of information. There were only 6 of these incidents at Site A as plotted in Figure 9.15. This shows some similarity to Figure 7.17 because of the increase in incidents in 1995.

The corruption of information incidents are normalized for the size of the Internet in Figure 9.16, which showed these type of incidents were not a significant problem at Site A for this period.

9.4. Sites per Day

Chapter 7 presented sites per day as an alternative measure of the severity of security incidents. Unlike the simple frequency of incidents, the sites per day measure of severity considers not only the number of incidents, but also the duration and number of sites involved. This measure still has significance when considering the activity at one site, because it indicates the severity of the incidents that the site was involved in. This can be used as a surrogate to give some indication of the severity of the incidents at that site.

Figure 9.17 plots the sites per day for all incidents at Site A report to the CERT^®/CC. This appears similar to all incidents as presented in Figure 7.19, particularly the large "spike" in sites per day in 1994. The correlation between the sites per day for all incidents and sites per day for Site A was 58%. Given the considerable variability of the data, this is a relatively high correlation.

As was done in Chapter 7, these data were smoothed by months and by quarter in order to more easily determine the trend in the data as shown in Figures 9.18 and 9.19. These figures look similar to the corresponding figures for all incidents, Figures 7.20 and 7.21. These all show similar spikes at the beginning of 1994, but Site A does not show a drop off in 1995. As expected, when the data are smoothed, the correlations between Site A and all incidents increase. For the monthly smoothing, the correlation was 81%, and this increased to 87% for smoothing by quarters.

Figure 9.20 shows the sites per day for all incidents at Site A, normalized for the size of the Internet. This shows the same pattern as Figure 7.24 for all incidents. A simple linear least squares fit showed that the growth rate of sites per day for all incidents at Site A was around 6% less than the growth rate for all Internet hosts (a = 1%, R² = 11.5%).

The last three Figures of this chapter present this same information for root and account level break-ins at Site A. These correspond to the figures for all incidents (Figures 7.22, 7.23 and 7.25).

Figure 9.21 presents the Site A root and account level break-ins smoothed by month, and Figure 9.22 presents the data smoothed by quarter. These data show significant differences with the Figures in Chapter 7. The biggest difference is the lack of a "spike" in the early part of 1994. This indicates that the increased activity at this time in Figures 9.18 and 9.19 were primarily access attempts and not root or account level break-ins. This is reflected in the correlations between the Site A data for root and account break-in incidents compared to the data for all incidents: 24% for data by days, 38% when smoothed by month, and 50% when smoothed by quarter. For the first two, these are less than half of the correlations presented earlier for all the incidents.

Figure 9.23 presents the data smoothed by quarters, but also normalized for the size of the Internet. These data show root and account level break-ins were the most significant problem in 1990, with another peak of activity in 1992. These successful intrusions were less significant relative to the size of the Internet in the years after that. A simple linear least squares fit of the curve in Figure 9.23 shows the rate of growth of sites per day for root and account level break-ins was around 12% less than the rate of growth of Internet hosts (a = 1%, R² = 2.99%).

These data from Site A presented in this chapter will be discussed further in Chapter 12, which will examine how representative the CERT^®/CC records are of the total Internet intruder activity.

9.5. Summary of Case Study - Site A

Nearly 10% of all incidents in the CERT^®/CC records from November, 1988 through December, 1995 involved one Internet site, which was termed Site A. Site A is a university located in the United States. It has around 30,000 users at its main campus. Since their first contact with the CERT^®/CC in 1989, the systems administrators at Site A routinely reported all security incidents involving the Internet. Some of the criteria Site A used for determining whether an incident would be reported to the CERT^®/CC included 1) repeated login attempts (5 or more), 2) root login attempts, and 3) attempts to exploit known vulnerabilities.

Of the 4,567 incidents reconstructed from the CERT^®/CC records, 443 incidents (9.7%) were either reported by Site A, or otherwise involved Site A. Of these incidents, 6 (1.4%) were determined to be false alarms. Most of the Site A incidents (94.3%) were classified as access incidents: root break-ins (6.9% of Site A total), account break-ins (14.0% of Site A total), and access attempts (77.9%) were unsuccessful . The correlation between the occurrence of access attempts at Site A and the occurrence for all incidents was 80%, while the correlations for root break-ins (49%) and account break-ins (53%) were considerably less. As with all incidents, incidents in the three categories of access incidents at Site A grew at a rate less than the growth of Internet hosts, although this could only be shown statistically for account break-ins which grew over this period at a rate around 23% less than the growth of Internet hosts. Only a few of the Site A incidents (5.7% of Site A total) were classified as unauthorized use incidents.

Using sites per day as the measure of incident severity, the correlation between site per day for all incidents and for Site A was 58%. When the data were smoothed by month, the correlation increased to 81%, and this increased to 87% for smoothing by quarters. The growth rate of sites per day for all incidents at Site A was around 9% less than the growth rate for all Internet hosts. For root and account level break-ins it was around 12% less than the rate of growth of Internet hosts.

Back to the Table of Contents
   [9]