A flow-based method for abnormal network traffic detection

One recent trend in network security attacks is an increasing number of indirect attacks which influence network traffic negatively, instead of directly entering a system and damaging it. In future, damages from this type of attack are expected to become more serious. In addition, the bandwidth consumption by these attacks influences the entire network performance. This paper presents an abnormal network traffic detecting method and a system prototype. By aggregating packets that belong to the identical flow, we can reduce processing overhead in the system. We suggest a detecting algorithm using changes in traffic patterns that appear during attacks. This algorithm can detect even mutant attacks that use a new port number or changed payload, while signature-based systems are not capable of detecting these types of attacks. Furthermore, the proposed algorithm can identify attacks that cannot be detected by examining only single packet information.

[1]  Jerry R. Hobbs,et al.  An algebraic approach to IP traceback , 2002, TSEC.

[2]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.

[3]  Jozef Baruník Diploma thesis , 1999 .

[4]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2005, IEEE/ACM Transactions on Networking.

[5]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[6]  Alefiya Hussain,et al.  Effect of Malicious Traffic on the Network , 2003 .

[7]  Steven M. Bellovin,et al.  Implementing Pushback: Router-Based Defense Against DDoS Attacks , 2002, NDSS.

[8]  홍원기 The Architecture of NG-MON: A Passive Network Monitoring System , 2002 .

[9]  Mario Silva-Neto,et al.  Netflow services and applications , 2002 .

[10]  Alexander G. Tartakovsky,et al.  A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[11]  David K. Y. Yau,et al.  Defending against distributed denial-of-service attacks with max-min fair server-centric router throttles , 2002, IEEE 2002 Tenth IEEE International Workshop on Quality of Service (Cat. No.02EX564).

[12]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[13]  Surasak Sanguanpong,et al.  A Rule-based Approach for Port Scanning Detection , 2000 .

[14]  Kotagiri Ramamohanarao,et al.  Proactively Detecting Distributed Denial of Service Attacks Using Source IP Address Monitoring , 2004, NETWORKING.

[15]  Anna R. Karlin,et al.  Practical network support for IP traceback , 2000, SIGCOMM.