Skip to main content
The Internet Motion Sensor: Measuring, Characterizing, and Tracking Internet Threats

The Internet Motion Sensor: Measuring, Characterizing, and Tracking Internet Threats


Farnam Jahanian

University of Michigan


The Internet is increasingly susceptible to a broad spectrum of security and operational threats such as distributed denial of service attacks, zero-day worms, and routing exploits. First and foremost, these threats are globally scoped, respecting no geographic or topological boundaries. Secondly, recent mutations of Internet worms have shown to be exceptionally virulent, propagating to the entire vulnerable population in the Internet in a matter of minutes. To make matters worse, these threats often are zero- day threats, exploiting vulnerabilities for which no signature or patch has been developed. This presentation discusses the changing Internet ecology and the evolution of zero-day threats. The talk highlights results from the Internet Motion Sensor Project, a collaborative research project aimed at observing and characterizing security threats on a global scale through deployment of a set of topology aware dark IP network sensors across the Internet. The current IMS deployment consists of more than 30 distinct monitored blocks at 20 physical installations across the Internet. These deployments range in size from a /25 to a /8 and include major Internet service providers, large enterprises, academic networks, and broadband providers. These sensors represent a range of organizations and a diverse sample of the routable IPv4 space including nine of all routable /8 address ranges. While past research has attempted to extrapolate the results from a small number of blocks to represent global Internet traffic, we present evidence that distributed address blocks observe dramatically different traffic patterns. Data gathered from these deployments is used to demonstrate the ability of the IMS to capture and characterize several recent Internet security attacks.



Farnam Jahanian is a Professor of Electrical Engineering and Computer Science at the University of Michigan and co-founder of Arbor Networks, Inc. Prior to joining academia in 1993, he was a Research Staff Member at the IBM T.J. Watson Research Center. His interests include distributed computing, network security, and network protocols and architectures. In the late 90's, Farnam led a research effort aimed at developing a flow-based system for detecting, backtracing and resolving network-wide anomalies such as DDoS attacks and routing exploits. This research project has formed the basis of a commercial technology that has been widely deployed by more than 80 Internet service providers and numerous mission-critical networks throughout the world. Farnam holds a master's degree and a Ph.D. in Computer Science from the University of Texas at Austin.