Strategic deployment of network monitors for attack attribution

Attacks launched over the Internet have become a pressing problem. Attackers make use of a variety of techniques to anonymize their traffic, in order to escape detection and prosecution. Despite much research on attack attribution, there has been little work on optimizing the number and placement of monitoring points for identifying the source of attacks with minimum ambiguity. This paper proposes such a method. The approach is based on the concept of graph separators. A separator partitions a network, such that the size of the separator is the number of monitors needed, and the size of a partition is the ambiguity in isolating the specific source of an attack. To achieve a desired degree of ambiguity, a good separator for the Internet is sought. Both vertex and edge separator heuristics are presented, which greedily select vertices of highest/lowest degree as monitors. The methods are evaluated for the Internet autonomous system (AS) topology. Experimental results show that the vertex separator heuristic requires just 5% of the ASes to be monitored to identify the source of an attack with little ambiguity. If only those links actually used for routing to a specific destination are considered, use of an edge separator requires 30% of the links to be monitored to achieve similar results. The results can be further improved if it is known that ASes have unequal probabilities of being the source of an attack.