Attacker ip switching

Currently, Nova relies on IP addresses being a unique identifier for suspects. But it may be possible in some network contexts for an attacker to dynamically switch IPs in order to evade detection.

For example, an attacker may choose to send 10% of the packets from one IP, then the next 10% from another IP, and so on. By themselves, none of the IPs would get flagged as hostile, but together they would. And the attacker could effectively evade detection using this method.

The naive method of "Let's just test every combination of suspect IP addresses together" is obviously far too cumbersome. We have to think of something smarter.

One possibility is to work backwards. Look at the data to see if every (or most) haystack IP has been hit recently (some timeout value) ignoring by who. This then raises suspicion on those nodes who's IP s are in that list. Repeat the process again for some other feature set heuristic(s). Then find overlap between these sets of IPs. Any significant overlap indicates that you've got an attacker switching IPs.

Mitigating Factors: Even if the attacker does evade detection, the Haystack still obfuscates the network. So this doesn't represent a total security failure, only a partial one. But still a case we should consider.

One approach would be to use subspace clustering. We would look for clusters across a subset of our feature dimensions that should remain the same despite spoofing attempts, this would be things like packet size interval, packet size variance etc. We then only classify clusters on dimensions that we've used for clusters to get a wider range data points that should help mitigate false positives by providing a more general classification that is still useful to the user.