Behavioural Characterization for Network Anomaly Detection

  • Victor P. Roche
  • Unai Arronategui
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5430)


In this paper we propose a methodology for detecting abnormal traffic on the net, such as worm attacks, based on the observation of the behaviours of different elements at the network edges. In order to achieve this, we suggest a set of critical features and we judge normal site status based on these standards. For our goal this characterization must be free of virus traffic. Once this has been set, we would be able to find abnormal situations when the observed behaviour, set against the same features, is significantly different from the previous model. We have based our work on NetFlow information generated by the main routers in the University of Zaragoza network, with more than 12,000 hosts. The proposed model helps to characterize the whole corporate network, sub-nets and the individual hosts. This methodology has proved its effectiveness in real infections caused by viruses such as SpyBot, Agobot, etc in accordance with our experimental tests. This system would allow to detect new kind of worms, independently from the vulnerabilities or methods used for their propagation.


Intrusion Detection Anomaly Detection Infected Host Destination Port Abnormal Situation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Caida: Cooperative association for internet data analysis,
  2. 2.
    Flow-tools: Tool set for working with netflow data,
  3. 3.
    Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: ACM SIGCOMM Internet Measurement Workshop (2002)Google Scholar
  4. 4.
    Brauckhoff, D., Fiedler, U., Plattner, B.: Towards systematically evaluating flow-level anomaly detection mechanisms. In: Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany (September 2006)Google Scholar
  5. 5.
    Brauckhoff, D., May, M., Plattner, B.: Flow-level anomaly detection - blessing or curse? In: IEEE INFOCOM 2007, Student Workshop, Anchorage, Alaska, USA (May 2007)Google Scholar
  6. 6.
    Brauckhoff, D., Wagner, A., May, M.: Flame: A flow-level anomaly modeling engine. In: Proceedings of CSET 2008 workshop, Usenix, San Jose, CA, USA (July 2008)Google Scholar
  7. 7.
    Dübendorfer, T., Plattner, B.: Host behaviour based early detection of worm outbreaks in internet backbones. In: WETICE - Security Technologies (STCA) Workshop (2005)Google Scholar
  8. 8.
    Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 103–122. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  9. 9.
    Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: ACM Workshop on Rapid Malcode WORM (2005)Google Scholar
  10. 10.
    Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet 2006: Proceedings of the 2006 SIGCOMM workshop on Mining network data, pp. 281–286. ACM, New York (2006)CrossRefGoogle Scholar
  11. 11.
    Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.-N., Dokas, P., Kumar, V., Srivastava, J.: Minds,detection of novel network attacks using data mining. In: ICDM Workshop on Data Mining for Computer Security (DMSEC) (2003)Google Scholar
  12. 12.
    Gates, C., Becknel, D.: Host anomalies from network data. In: IEEE SMC Information Assurance Workshop (2005)Google Scholar
  13. 13.
    Gu, R., Hong, M., Wang, H., Ji, Y.: Fast traffic classification in high speed networks. In: Ma, Y., Choi, D., Ata, S. (eds.) APNOMS 2008. LNCS, vol. 5297, pp. 429–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  14. 14.
    S. Institute. Internet storm center,,
  15. 15.
    Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: Multilevel traffic classification in the dark. In: Proceedings of ACM SIGCOMM, pp. 229–240 (2005)Google Scholar
  16. 16.
    Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)CrossRefGoogle Scholar
  17. 17.
    Ma, J., Voelker, G.M., Savage, S.: Self-stopping worms. In: ACM Workshop on Rapid Malcode WORM (2005)Google Scholar
  18. 18.
    Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: INFOCOM (2003)Google Scholar
  19. 19.
    Münz, G., Carle, G.: Real-time analysis of flow data for network attack detection. In: Proceedings of IFIP/IEEE Symposium on Integrated Management (IM2007), Munich, Germany (May 2007)Google Scholar
  20. 20.
    Nickless, B., Navarro, J., Winkler, L.: Combining cisco netflow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In: Proceedings of the Fourteenth Systems Administration Conference (LISA 2000), Berkeley, CA, December 3-8 2000, pp. 285–290. The USENIX Association (2000)Google Scholar
  21. 21.
    Noh, S., Lee, C., Ryu, K., Choi, K., Jung, G.: Detecting worm propagation using traffic concentration analysis and inductive learning. In: Yang, Z.R., Yin, H., Everson, R.M. (eds.) IDEAL 2004. LNCS, vol. 3177, pp. 402–408. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  22. 22.
    Park, B., Won, Y.J., Choi, M.-J., Kim, M.-S., Hong, J.W.: Empirical analysis of application-level traffic classification using supervised machine learning. In: Ma, Y., Choi, D., Ata, S. (eds.) APNOMS 2008. LNCS, vol. 5297, pp. 474–477. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Plattner, B., Wagner, A., Dübendorfer, T.: In search of a vaccine against distributed denial of service attacks (ddosvax) (2003)Google Scholar
  24. 24.
    Project, T.H.: The honeynet project & research alliance: Know your enemy: Tracking botnets. Technical report (March 13, 2004)Google Scholar
  25. 25.
    Singh, S., Estan, C., Varghese, G., Savage, S.: The earlybird system for real-time detection of unknown worms. In: ACM - Workshop on Hot Topics in Networks (HOTNETS) (2003)Google Scholar
  26. 26.
    Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time (May 14, 2002)Google Scholar
  27. 27.
    Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast ip networks. In: WETICE - Security Technologies (STCA) Workshop (2005)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Victor P. Roche
    • 1
  • Unai Arronategui
    • 1
  1. 1.University of ZaragozaSpain

Personalised recommendations