Public Town Hall Meeting to Discuss President Bush's National Strategy to Secure Cyberspace
7 - 9 p.m. , Jan. 28, 2003
The Neurosciences Institute, 10640 John Jay Hopkins Drive, San Diego, CA Full story

CAIDA's Walrus Shows Universe of Data

May 29, 2002 – Unreleased visualization tool already making a splash. As the Internet has grown over the years, it has become more and more complex. When that complexity is visualized with Walrus, a new tool being developed by the Cooperative Association for Internet Data Analysis (CAIDA) at SDSC, the results can be spectacular.

CAIDA promotes the engineering and maintenance of a robust and scalable Internet infrastructure by providing tools and analyses to the planners and service providers who keep the net going. Most of these tools and analyses are used only by specialists, but occasionally an analysis turns out to be so interesting that outsiders take notice.

Walrus recently captured the attention of the magazine Yahoo! Internet Life. In the May 2002 issue, the "Click" feature of people, places, and trends on the Net, led with a complex Walrus-generated visualization of round-trip times of data packets issued from a measurement point in Herndon, Virginia, to nodes on the Internet around the world and back again. The image is the work of Walrus's creator, Young Hyun, working from a data analysis by CAIDA's Bradley Huffaker. Full Story

SDSC Computer Crime Specialist Erin Kenneally "Testifies" at Annual Forensic Conference

March 21, 2001 – SDSC forensic analyst and compter security specialist Erin Kenneally was one of three leaders of a seminar on "What You Always Wanted to Know about Digital Evidence but Were Afraid to Ask" at the 53rd annual scientific meeting of the American Academy of Forensic Sciences (AAFS), held in Seattle on February 23, 2001.

Chaired by Carrie M. Whitcomb, Director of the National Center for Forensic Science at the University of Central Florida in Orlando, the seminar gave an overview of the legal hazards involved in collection, storage, and transmittal of digital evidence.

"Computer forensics is still a pretty new field," Kenneally said, "and it's important to educate the community about some of the unique aspects and issues. Forensics professionals in other disciplines are coming to understand this field's uniqueness and realize that the subject deserves the same respect as more traditional areas of criminology and legal investigation."

Approximately 100 forensics professionals attended the seminar, which examined how the revolution in personal electronics has changed the practice of gathering evidence. "Investigators are used to handling traditional forms of evidence," Kenneally said. "Fingerprints or handwritten notes at a crime scene, or the diary or answering machine of a suspect or victim . . . these could all be bagged, tagged, and entered into the evidence log. But what does an investigator do when the evidence might be in a computer file, e-mail, a Palm Pilot, a digital answering machine, or a pager? How does an investigator make sure the evidence stays intact and unimpeachable? If encrypted files are involved, how do you even find the evidence in the first place?" Full story

UCSD Researchers Analyze Prevalence and Patterns of Worldwide
Denial-of-Service Attacks on the Internet

May 30, 2001 –- Using a new technique, UCSD network researchers from the San Diego Supercomputer Center (SDSC) and the Jacobs School of Engineering have analyzed the worldwide pattern of malicious denial-of-service (DoS) attacks against the computers of corporations, universities, and private individuals. The attacks disable Web servers on the Internet by overloading them with messages, which usually contain false source addresses to conceal the locations of the attackers. But in a clever twist, the researchers used key features of these messages' forged signatures to detect and track the attacks.

"We believe that our research provides the only publicly available data quantifying denial-of-service activity in the Internet," said David Moore, a senior researcher in UCSD's Cooperative Association for Internet Data Analysis (CAIDA) program at SDSC. Moore and UCSD Computer Science and Engineering professors Geoff Voelker and Stefan Savage have devised a new technique called "backscatter analysis" that gives an estimate of worldwide denial-of-service activity. Their research enables network engineers to understand the nature of recent attacks and to study long-term trends and recurring patterns of attacks. Full story

CAIDA Network Researchers Track the Worldwide Spread of the "Code Red" Worm

July 25, 2001 –- Someone turned a worm loose on the Internet late last week, and in less than a day it infected hundreds of thousands of Web servers around the world. Using sophisticated new "backscatter analysis" techniques developed to detect denial-of-service attacks, researchers at the Cooperative Association for Internet Data Analysis (CAIDA) of the San Diego Supercomputer Center (SDSC) tracked the progress of the infestation.

"More than 359,000 computers were infected with a version of the Code Red worm in less than 14 hours," said David Moore, SDSC senior network researcher and a principal investigator at CAIDA. "At the peak of the infection frenzy, more than 2,000 new hosts were infected each minute."

The Code Red worm infects Web servers by exploiting a security flaw in the Microsoft Internet Information Services (IIS) software package; only systems that run Microsoft software are infected. On July 12, less than a month after the IIS vulnerability was made known to the computer security community, the Code Red worm was detected "in the wild" by Marc Maiffret and Ryan Permeh of eEye Digital Security. A new, "improved" variant surfaced on July 19.

Once it infects a host, the Code Red worm tries to spread the infection by sending a copy of itself to 99 random IP addresses. Then it waits. On the 20th day of the month, each copy of the worm tries to bombard the White House Web site with messages in an attempt to overload its Web server. Fortunately, the White House webmaster was alerted to the problem and changed the numeric IP address of the Web server, which foiled the second phase of the attack. Full story