Skip to main content
SpringerLink
Log in

Behavioural Characterization for Network Anomaly Detection

  • Chapter
Transactions on Computational Science IV

Part of the book series: Lecture Notes in Computer Science ((TCOMPUTATSCIE,volume 5430))

Abstract

In this paper we propose a methodology for detecting abnormal traffic on the net, such as worm attacks, based on the observation of the behaviours of different elements at the network edges. In order to achieve this, we suggest a set of critical features and we judge normal site status based on these standards. For our goal this characterization must be free of virus traffic. Once this has been set, we would be able to find abnormal situations when the observed behaviour, set against the same features, is significantly different from the previous model. We have based our work on NetFlow information generated by the main routers in the University of Zaragoza network, with more than 12,000 hosts. The proposed model helps to characterize the whole corporate network, sub-nets and the individual hosts. This methodology has proved its effectiveness in real infections caused by viruses such as SpyBot, Agobot, etc in accordance with our experimental tests. This system would allow to detect new kind of worms, independently from the vulnerabilities or methods used for their propagation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Caida: Cooperative association for internet data analysis, http://www.caida.org

  2. Flow-tools: Tool set for working with netflow data, http://www.splintered.net/sw/flow-tools

  3. Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: ACM SIGCOMM Internet Measurement Workshop (2002)

    Google Scholar 

  4. Brauckhoff, D., Fiedler, U., Plattner, B.: Towards systematically evaluating flow-level anomaly detection mechanisms. In: Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany (September 2006)

    Google Scholar 

  5. Brauckhoff, D., May, M., Plattner, B.: Flow-level anomaly detection - blessing or curse? In: IEEE INFOCOM 2007, Student Workshop, Anchorage, Alaska, USA (May 2007)

    Google Scholar 

  6. Brauckhoff, D., Wagner, A., May, M.: Flame: A flow-level anomaly modeling engine. In: Proceedings of CSET 2008 workshop, Usenix, San Jose, CA, USA (July 2008)

    Google Scholar 

  7. Dübendorfer, T., Plattner, B.: Host behaviour based early detection of worm outbreaks in internet backbones. In: WETICE - Security Technologies (STCA) Workshop (2005)

    Google Scholar 

  8. Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 103–122. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  9. Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: ACM Workshop on Rapid Malcode WORM (2005)

    Google Scholar 

  10. Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet 2006: Proceedings of the 2006 SIGCOMM workshop on Mining network data, pp. 281–286. ACM, New York (2006)

    Chapter  Google Scholar 

  11. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.-N., Dokas, P., Kumar, V., Srivastava, J.: Minds,detection of novel network attacks using data mining. In: ICDM Workshop on Data Mining for Computer Security (DMSEC) (2003)

    Google Scholar 

  12. Gates, C., Becknel, D.: Host anomalies from network data. In: IEEE SMC Information Assurance Workshop (2005)

    Google Scholar 

  13. Gu, R., Hong, M., Wang, H., Ji, Y.: Fast traffic classification in high speed networks. In: Ma, Y., Choi, D., Ata, S. (eds.) APNOMS 2008. LNCS, vol. 5297, pp. 429–432. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  14. S. Institute. Internet storm center, http://isc.sans.org/ , http://www.dshield.org/

  15. Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: Multilevel traffic classification in the dark. In: Proceedings of ACM SIGCOMM, pp. 229–240 (2005)

    Google Scholar 

  16. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)

    Article  Google Scholar 

  17. Ma, J., Voelker, G.M., Savage, S.: Self-stopping worms. In: ACM Workshop on Rapid Malcode WORM (2005)

    Google Scholar 

  18. Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: INFOCOM (2003)

    Google Scholar 

  19. Münz, G., Carle, G.: Real-time analysis of flow data for network attack detection. In: Proceedings of IFIP/IEEE Symposium on Integrated Management (IM2007), Munich, Germany (May 2007)

    Google Scholar 

  20. Nickless, B., Navarro, J., Winkler, L.: Combining cisco netflow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In: Proceedings of the Fourteenth Systems Administration Conference (LISA 2000), Berkeley, CA, December 3-8 2000, pp. 285–290. The USENIX Association (2000)

    Google Scholar 

  21. Noh, S., Lee, C., Ryu, K., Choi, K., Jung, G.: Detecting worm propagation using traffic concentration analysis and inductive learning. In: Yang, Z.R., Yin, H., Everson, R.M. (eds.) IDEAL 2004. LNCS, vol. 3177, pp. 402–408. Springer, Heidelberg (2004)

    Chapter  Google Scholar 

  22. Park, B., Won, Y.J., Choi, M.-J., Kim, M.-S., Hong, J.W.: Empirical analysis of application-level traffic classification using supervised machine learning. In: Ma, Y., Choi, D., Ata, S. (eds.) APNOMS 2008. LNCS, vol. 5297, pp. 474–477. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  23. Plattner, B., Wagner, A., Dübendorfer, T.: In search of a vaccine against distributed denial of service attacks (ddosvax) (2003)

    Google Scholar 

  24. Project, T.H.: The honeynet project & research alliance: Know your enemy: Tracking botnets. Technical report (March 13, 2004)

    Google Scholar 

  25. Singh, S., Estan, C., Varghese, G., Savage, S.: The earlybird system for real-time detection of unknown worms. In: ACM - Workshop on Hot Topics in Networks (HOTNETS) (2003)

    Google Scholar 

  26. Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time (May 14, 2002)

    Google Scholar 

  27. Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast ip networks. In: WETICE - Security Technologies (STCA) Workshop (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of Zaragoza, Spain

    Victor P. Roche & Unai Arronategui

Authors
  1. Victor P. Roche
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Unai Arronategui
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Computer Science, University of Calgary, 2500 University Drive N.W., T2N 1N4, Calgary, AB, Canada

    Marina L. Gavrilova

  2. OptimaNumerics Ltd., Cathedral House, 23-31 Waring Street, BT1 2DX, Belfast, UK

    C. J. Kenneth Tan

  3. University of Amazonas State - UEA Manaus, AM, Brazil

    Edward David Moreno

Rights and permissions

Reprints and permissions

Copyright information

© 2009 Springer-Verlag Berlin Heidelberg

About this chapter

Cite this chapter

Roche, V.P., Arronategui, U. (2009). Behavioural Characterization for Network Anomaly Detection. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds) Transactions on Computational Science IV. Lecture Notes in Computer Science, vol 5430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01004-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-01004-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-01003-3

  • Online ISBN: 978-3-642-01004-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation