IP agnostic real-time traffic filtering and host identification using TCP timestamps

Wicherski, Georg; Weingarten, Florian; Meyer, Ulrike

doi:10.1109/lcn.2013.6761302

Cited by 12 publications

(2 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For example, vulnerable services opened through port forwarding may enable attackers to conveniently access the internal network, and NATHs may be used as zombies for distributed denial of service (DDoS) attacks. When many NATHs are connected to the private network of an NATD, it is inconvenient for external hosts or systems to identify the malicious behaviors by any of these or the NATHs exhibiting such behaviors [2,3,18].…”

Section: Nat Overviewmentioning

confidence: 99%

See 1 more Smart Citation

Supervised Learning-Based Fast, Stealthy, and Active NAT Device Identification Using Port Response Patterns

et al. 2020

View full text Add to dashboard Cite

Although network address translation (NAT) provides various advantages, it may cause potential threats to network operations. For network administrators to operate networks effectively and securely, it may be necessary to verify whether an assigned IP address is using NAT or not. In this paper, we propose a supervised learning-based active NAT device (NATD) identification using port response patterns. The proposed model utilizes the asymmetric port response patterns between NATD and non-NATD. In addition, to reduce the time and to solve the security issue that supervised learning approaches exhibit, we propose a fast and stealthy NATD identification method. The proposed method can perform the identification remotely, unlike conventional methods that should operate in the same network as the targets. The experimental results demonstrate that the proposed method is effective, exhibiting a F1 score of over 90%. With the efficient features of the proposed methods, we recommend some practical use cases that can contribute to managing networks securely and effectively.

show abstract

Section: Nat Overviewmentioning

confidence: 99%

“…Moreover, a few of these can conduct malicious behaviors that can impair the Internet. Because the network administrator acknowledges this traffic to be originating from one IP address, if the administrator blocks the IP address exhibiting such malicious behavior, both abnormal and normal hosts behind the NATD will be damaged [3].…”

Section: Introductionmentioning

confidence: 99%