Internet Sensor Grid: Experiences with Passive and Active Instruments

The Internet is constantly evolving with new emergent behaviours arising; some of them malicious. This paper discusses opportunities and research direction in an Internet sensor grid for malicious behaviour detection, analysis and countermeasures. We use two example sensors as a basis; firstly the honeyclient for malicious server and content identification (i.e. drive-by-downloads, the most prevalent attack vector for client systems) and secondly the network telescope for Internet Background Radiation detection (IBR - which is classified as unsolicited, non-productive traffic that traverses the Internet, often malicious in nature or origin). Large amounts of security data can be collected from such sensors for analysis and federating honeyclient and telescope data provides a worldwide picture of attacks that could enable the provision of countermeasures. In this paper we outline some experiences with these sensors and analyzing network telescope data through Grid computing as part of an “intelligence layer” within the Internet

Designing workflows for grid enabled internet instruments

To analyse malicious activity on the Internet, instruments such as network telescopes and honeypots are effective tools that can be deployed. Such tools can be deployed in large scale using Grid computing. Manual deployment of instruments wastes resources because common tasks and solutions are reinvented by different deployers and the resulting architectures are often not interoperable or sufficiently scalable. Research is underway to develop a framework for scalable and automated deployment, with Grid technologies providing a promising basis. The integration of Grid technology with instrumentation has two inititiatives. These are CIMA and GRIDCC, with GRIDCC being available as open source. A key area is workflow within the framework, for which BPEL (Business Process Execution Language) is used in GRIDCC and considered for initial use for Grid Enabled Internet Instruments. We have found BPEL has limitations when implementing such as framework, particularly in the areas of concurrency and statefullness. We propose implementation independent workflows and identify extensions to BPEL in order to realise them. We believe that BPEL with modification can be used to implement a framework for Internet instruments–Grid computing integration