Detection of Attackers in Services Using Anomalous Host Behavior Based on Traffic Flow Statistics

Flow-based attacker detection is a common way to detect malicious hosts at a router on a high-traffic network with fewer computing resources. The most challenging aspect is to detect attackers that traverse well-known ports such as TCP ports 21, 25, 80, 443, etc. Although various methods have been studied, they cannot accurately detect such attackers. We propose a new flow-based attacker detection method that achieves a high detection rate using traffic flow statistics obtained by Net Flow, sFlow, etc. The proposed method focuses on the characteristics of attackers who send flows to both the object port and generally closed port in the global network. Our method accurately identifies hosts sending flows to object port as attackers, without any deep packet inspection. We evaluated our method using actually collected Net Flow data. The results show that it detects 90.0% of attackers, with few misidentifications of legitimate hosts.

[1]  Juan J. Flores,et al.  Evolving HMMs for Network Anomaly Detection – Learning through Evolutionary Computation , 2010, 2010 Sixth International Conference on Networking and Services.

[2]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[3]  Willa K. Ehrlich,et al.  Detection of Spam Hosts and Spam Bots Using Network Flow Traffic Modeling , 2010, LEET.

[4]  Falko Dressler,et al.  Dialog-based payload aggregation for intrusion detection , 2010, CCS '10.

[5]  Zhengyuan Zhu,et al.  Multivariate SVD Analyses For Network Anomaly Detection , 2005 .

[6]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[7]  Georg Carle,et al.  Real-time Analysis of Flow Data for Network Attack Detection , 2007, 2007 10th IFIP/IEEE International Symposium on Integrated Network Management.

[8]  Peter Phaal,et al.  InMon Corporation's sFlow: A Method for Monitoring Traffic in Switched and Routed Networks , 2001, RFC.

[9]  Ram Dantu,et al.  Behavior analysis of spam botnets , 2008, 2008 3rd International Conference on Communication Systems Software and Middleware and Workshops (COMSWARE '08).

[10]  Weidong Wu,et al.  Online Detection of Network Traffic Anomalies Using Degree Distributions , 2010, Int. J. Commun. Netw. Syst. Sci..

[11]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[12]  Tatsuya Mori,et al.  Router-Level Spam Filtering Using TCP Fingerprints: Architecture and Measurement-Based Evaluation , 2009, CEAS 2009.

[13]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.