An Analysis of Security Incidents on the Internet
April 1997 • White Paper
In this dissertation, John D. Howard reviews an analysis of security incidents on the Internet from between 1989 and 1995.
Software Engineering Institute
This research analyzed trends in Internet security through an investigation of 4,299 security-related incidents on the Internet reported to the Cert Coordination Center (CERT/CC) from 1989 to 1995. Prior to this research, our knowledge of security problems on the Internet was limited and primarily anecdotal. This information could not be effectively used to determine what government policies and programs should be, or to determine the effectiveness of current policies and programs. This research accomplished the following: 1) development of a taxonomy for the classification of Internet attacks and incidents, 2) organization, classification, and analysis of incident records available at the CERT/CC, and 3) development of recommendations to improve Internet security, and to gather and distribute information about Internet security.
With the exception of denial-of-service attacks, security incidents were generally found to be decreasing relative to the size of the Internet. The probability of any severe incident not being reported to the CERT/CC was estimated to be between 0% and 4%. The probability that an incident would be reported if it was above average in terms of duration and number of sites, was around 1 out of 2.6. Estimates based on this research indicated that a typical Internet domain was involved in no more than around one incident per year, and a typical Internet host in around one incident every 45 years.
The taxonomy of computer and network attacks developed for this research was used to present a summary of the relative frequency of various methods of operation and corrective actions. This was followed by an analysis of three subgroups: 1) a case study of one site that reported all incidents, 2) 22 incidents that were identified by various measures as being the most severe in the records, and 3) denial-of-service incidents. Data from all incidents and these three subgroups were used to estimate the total Internet incident activity during the period of the research. This was followed by a critical evaluation of the utility of the taxonomy developed for this research. The analysis concludes with recommendations for Internet users, Internet suppliers, response teams, and the U.S. government.