Abstract
Protecting network systems against novel attacks is a pressing problem. In this paper, we propose a new anomaly detection method based on inbound network traffic distributions. For this purpose, we first present the diverse distributions of TCP/IP protocol header fields at the border router of a real campus network, and then characterize the distributions when well-known denial-of-service (DoS) attacks are present. We show that the distributions give promising baselines for detecting network traffic anomalies. Moreover we introduce the concept of entropy to transform the obtained distribution into a metric of declaring anomaly. Our preliminary explorations indicate that the proposed method is effective at detecting several DoS attacks on the real network.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
Conklin, W.A., Williams, D., White, G.B., Davis, R.L., Cothren, C.: Principles of Computer Security: Security+ and Beyond. McGraw-Hill, Burr Ridge Illinois (2004)
Rosech, M.: Snort Lightweight Intrusion Detection for Networks. In: Proc. USENIX LISA 1999 (1999)
Thottan, M., Ji, C.: Anomaly Detection in IP Networks. IEEE Trans. on Signal Processing 51(8) (2003)
Barford, P., Plonka, D.: Characteristics of Network Traffic Flow Anomalies. In: Proc. Of the ACM Internet Measurement Workshop (2001)
Brutlag, J.D.: Aberrant Behavior Detection in Time Series for Network Monitoring. In: Proc. USENIX LISA XIV (2000)
Mahoney, M.V.: Network Traffic Anomaly Detection Based on Packet Bytes. In: SAC 2003, Melbourne, Florida (2003)
Anderson, D., Terea, F.L., Harold, J., Ann, T., Alfonso, V.: Detecting unusual program behavior using the statistical component of the Next-generation Intrusion Detection Expert System (NIDES), Computer Science Laboratory SRI-CSL 95-06 (1995)
Bishop, M.: Computer Security: Art and Science. Addison-Wesley, Reading (2003)
Kang, K.: A Study on Network Anomaly Detections Based on Baseline and Anomaly Traffic Modeling, ETRI Final Report of Collaborative Research (2004)
Spender: datapool3.3, http://packetstorm.linuxsecurity.com/DoS/indexsize.html
www.cert.org: CERT Advisory CA-1996-01 UDP Port Denial-of-Service Attack, http://www.cert.org/advisories/CA-1996-01.html
www.cert.org: CERT Advisory CA-1996-26 Denial-of-Service Attack via ping, http://www.cert.org/advisories/CA-1996-01.html
www.cert.org: CERT Advisory CA-1996-01 IP Denial-of-Service Attacks, http://www.cert.org/advisories/CA-1996-01.html
www.nac.net: The WinNuke Relief Page, http://www.users.nac.net/splat/winnuke/
Wolfgang, M.: Hot discovery with nmap, http://www.rootsecure.net/content/downloads/pdf/nmap_host_discovery.pdf
Zakath: Syn Flooder, http://packetstorm.linuxsecurity.com/Exploit_code_Archive/synk4.c
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kang, K. (2008). Anomaly Detection of Hostile Traffic Based on Network Traffic Distributions. In: Vazão, T., Freire, M.M., Chong, I. (eds) Information Networking. Towards Ubiquitous Networking and Services. ICOIN 2007. Lecture Notes in Computer Science, vol 5200. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-89524-4_77
Download citation
DOI: https://doi.org/10.1007/978-3-540-89524-4_77
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-89523-7
Online ISBN: 978-3-540-89524-4
eBook Packages: Computer ScienceComputer Science (R0)