Analysis of TCP flow data for traffic anomaly and scan detection

Muraleedharan, Narendran

doi:10.1109/icon.2008.4772645

Cited by 9 publications

(4 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In port scanning, there are dozens of techniques that can be used by an attacker to verify open ports on the victim's server. As revealed by Muraleedharan [6], the most common port scanning techniques used are TCP SYN scan, TCP Connect scan, UDP scan and stealth scan. TCP SYN scan is the most commonly used because it does not establish a connection between the attacker and the victim's machine and is not logged by some of event tracking tools.…”

Section: Related Workmentioning

confidence: 99%

A Comparative Performance of Port Scanning Techniques

Roslan

2023

JSCDM

View full text Add to dashboard Cite

Cyberattack has its effect on businesses and private systems every day and it has risen tremendously. Port scanning is the first step taken by attackers before an attack is deployed. It is employed to identify the targeted host’s IP addresses, network devices and services running which later be used to determine the server locations and diagnose security levels of the victim by revealing the presence of security measures in place such as firewall between the server and the network devices. There have been several papers presenting the performance of port scanning techniques. However, the impact on host's performance has not yet been done. In this research, a comparative study of port scanning techniques is proposed to evaluate their impact on the scanned hosts performance using Zabbix. The goal of this research is to identify the difference of port scanning techniques and their strategies in probing the targeted host. Three scanning techniques are compared namely TCP SYN, TCP Connect and UDP scan. Several experiments have been conducted using NMAP, Unicornscan, Netcat, Apache2 web server and Zabbix running in virtual machine (VM) environment. Of the three port scanning techniques, TCP SYN scan has the least impact on the targeted scanned host with average response time of 0.69ms for a single scan and 0.421ms for 100 scans. UDP scan has the most impact on the targeted scanned host with average response time of 10.84ms for a single scan and 6.71ms for 100 scans.

show abstract

Section: Related Workmentioning

confidence: 99%

A Comparative Performance of Port Scanning Techniques

Roslan

2023

JSCDM

View full text Add to dashboard Cite

show abstract

“…Then we calculate the hosts' connection degree in these flows, and find that there are some hosts with connection degree more than 5000 in IPv4 traces, the maximum connection degree reaches above 7000. Those statistical characteristics as shown in Table 5 reveal those flows are generated by scanning-like attacks [37,38].…”

Section: Abnormal Behavior Detection Based On One-way Flow Analysismentioning

confidence: 99%

Exploring Flow Characteristics in IPv6: A Comparative Measurement Study with IPv4 for Traffic Monitoring

Li¹,

Qin²,

Guan³

2014

KSII TIIS

View full text Add to dashboard Cite

With the exhaustion of global IPv4 addresses, IPv6 technologies have attracted increasing attentions, and have been deployed widely. Meanwhile, new applications running over IPv6 networks will change the traditional traffic characteristics obtained from IPv4 networks. Traditional models obtained from IPv4 cannot be used for IPv6 network monitoring directly and there is a need to investigate those changes. In this paper, we explore the flow features of IPv6 traffic and compare its difference with that of IPv4 traffic from flow level. Firstly, we analyze the differences of the general flow statistical characteristics and users' behavior between IPv4 and IPv6 networks. We find that there are more elephant flows in IPv6, which is critical for traffic engineering. Secondly, we find that there exist many one-way flows both in the IPv4 and IPv6 traffic, which are important information sources for abnormal behavior detection. Finally, in light of the challenges of analyzing massive data of large-scale network monitoring, we propose a group flow model which can greatly reduce the number of flows while capturing the primary traffic features, and perform a comparative measurement analysis of group users' behavior dynamic characteristics. We find there are less sharp changes caused by abnormity compared with IPv4, which shows there are less large-scale malicious activities in IPv6 currently. All the evaluation experiments are carried out based on the traffic traces collected from the Northwest Regional Center of CERNET (China Education and Research Network), and the results reveal the detailed flow characteristics of IPv6, which are useful for traffic management and anomaly detection in IPv6.A preliminary version of this paper appeared in IEEE ICON 2012, December 12-14, Singapore. This version includes extended measurement and analysis works on one-way flows and group user's behavior characteristics.

show abstract

“…In our previous work on flow data analysis [16], we identified the behavior of flow data with respect to different transport layer protocol like TCP, UDP and ICMP. By using flow information different types of anomaly detection can be done.…”

Section: Related Workmentioning

confidence: 99%

A flow based anomaly detection system using chi-square technique

Muraleedharan

Parmar

Kumar

2010

2010 IEEE 2nd International Advance Computing Conference (IACC)

View full text Add to dashboard Cite

Various tools, which are capable to evade different security mechanisms like firewall, IDS and IPS, exist and that helps the intruders for sending malicious traffic to the network or system. So, inspection of malicious traffic and identification of anomalous activity is very much essential to stop future activity of intruders which can be a possible attack. In this paper we present a flow based system to detect anomalous activity by using IP flow characteristics with chi-square detection mechanism. This system provides solution to identify anomalous activities like scan and flood attack by means of automatic behavior analysis of the network traffic and also give detailed information of attacker, victim, type and time of the attack which can be used for corresponding defense. Anomaly Detection capability of the proposed system is compared with SNORT Intrusion detection system and results prove the very high detection rate of the system over SNORT for different scan and flood attack. The proposed system detects different stealth scan and malformed packets scan. Since the probability of using stealth scan in real attack is very high, this system can identify the real attacks in the initial stage itself and preventive action can be taken.

show abstract

Analysis of TCP flow data for traffic anomaly and scan detection

Cited by 9 publications

References 12 publications

A Comparative Performance of Port Scanning Techniques

A Comparative Performance of Port Scanning Techniques

Exploring Flow Characteristics in IPv6: A Comparative Measurement Study with IPv4 for Traffic Monitoring

A flow based anomaly detection system using chi-square technique

Contact Info

Product

Resources

About