TY - CONF T1 - A Comparison between Internal and External Malicious Traffic Y1 - 2007 A1 - Michel Cukier A1 - Panjwani,S. KW - Computer networks KW - Data analysis KW - external traffic KW - honeypot target computers KW - internal traffic KW - malicious traffic data KW - security of data KW - user activity profile AB - This paper empirically compares malicious traffic originating inside an organization (i.e., internal traffic) with malicious traffic originating outside an organization (i.e., external traffic). Two honeypot target computers were deployed to collect malicious traffic data over a period of fifteen weeks. In the first study we showed that there was a weak correlation between internal and external traffic based on the number of malicious connections. Since the type of malicious activity is linked to the port that was targeted, we focused on the most frequently targeted ports. We observed that internal malicious traffic often contained different malicious content compared to that of external traffic. In the third study, we discovered that the volume of malicious traffic was linked to the day of the week. We showed that internal and external malicious activities differ: where the external malicious activity is quite stable over the week, the internal traffic varied as a function of the users' activity profile. M3 - 10.1109/ISSRE.2007.32 ER -