Abstract
In this paper we propose a methodology for detecting abnormal traffic on the net, such as worm attacks, based on the observation of the behaviours of different elements at the network edges. In order to achieve this, we suggest a set of critical features and we judge normal site status based on these standards. For our goal this characterization must be free of virus traffic. Once this has been set, we would be able to find abnormal situations when the observed behaviour, set against the same features, is significantly different from the previous model. We have based our work on NetFlow information generated by the main routers in the University of Zaragoza network, with more than 12,000 hosts. The proposed model helps to characterize the whole corporate network, sub-nets and the individual hosts. This methodology has proved its effectiveness in real infections caused by viruses such as SpyBot, Agobot, etc in accordance with our experimental tests. This system would allow to detect new kind of worms, independently from the vulnerabilities or methods used for their propagation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Caida: Cooperative association for internet data analysis, http://www.caida.org
Flow-tools: Tool set for working with netflow data, http://www.splintered.net/sw/flow-tools
Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: ACM SIGCOMM Internet Measurement Workshop (2002)
Brauckhoff, D., Fiedler, U., Plattner, B.: Towards systematically evaluating flow-level anomaly detection mechanisms. In: Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany (September 2006)
Brauckhoff, D., May, M., Plattner, B.: Flow-level anomaly detection - blessing or curse? In: IEEE INFOCOM 2007, Student Workshop, Anchorage, Alaska, USA (May 2007)
Brauckhoff, D., Wagner, A., May, M.: Flame: A flow-level anomaly modeling engine. In: Proceedings of CSET 2008 workshop, Usenix, San Jose, CA, USA (July 2008)
Dübendorfer, T., Plattner, B.: Host behaviour based early detection of worm outbreaks in internet backbones. In: WETICE - Security Technologies (STCA) Workshop (2005)
Dübendorfer, T., Wagner, A., Hossmann, T., Plattner, B.: Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone. In: Julisch, K., Krügel, C. (eds.) DIMVA 2005. LNCS, vol. 3548, pp. 103–122. Springer, Heidelberg (2005)
Ellis, D.R., Aiken, J.G., Attwood, K.S., Tenaglia, S.D.: A behavioral approach to worm detection. In: ACM Workshop on Rapid Malcode WORM (2005)
Erman, J., Arlitt, M., Mahanti, A.: Traffic classification using clustering algorithms. In: MineNet 2006: Proceedings of the 2006 SIGCOMM workshop on Mining network data, pp. 281–286. ACM, New York (2006)
Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P.-N., Dokas, P., Kumar, V., Srivastava, J.: Minds,detection of novel network attacks using data mining. In: ICDM Workshop on Data Mining for Computer Security (DMSEC) (2003)
Gates, C., Becknel, D.: Host anomalies from network data. In: IEEE SMC Information Assurance Workshop (2005)
Gu, R., Hong, M., Wang, H., Ji, Y.: Fast traffic classification in high speed networks. In: Ma, Y., Choi, D., Ata, S. (eds.) APNOMS 2008. LNCS, vol. 5297, pp. 429–432. Springer, Heidelberg (2008)
S. Institute. Internet storm center, http://isc.sans.org/ , http://www.dshield.org/
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: Multilevel traffic classification in the dark. In: Proceedings of ACM SIGCOMM, pp. 229–240 (2005)
Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. SIGCOMM Comput. Commun. Rev. 35(4), 217–228 (2005)
Ma, J., Voelker, G.M., Savage, S.: Self-stopping worms. In: ACM Workshop on Rapid Malcode WORM (2005)
Moore, D., Shannon, C., Voelker, G.M., Savage, S.: Internet quarantine: Requirements for containing self-propagating code. In: INFOCOM (2003)
Münz, G., Carle, G.: Real-time analysis of flow data for network attack detection. In: Proceedings of IFIP/IEEE Symposium on Integrated Management (IM2007), Munich, Germany (May 2007)
Nickless, B., Navarro, J., Winkler, L.: Combining cisco netflow exports with relational database technology for usage statistics, intrusion detection, and network forensics. In: Proceedings of the Fourteenth Systems Administration Conference (LISA 2000), Berkeley, CA, December 3-8 2000, pp. 285–290. The USENIX Association (2000)
Noh, S., Lee, C., Ryu, K., Choi, K., Jung, G.: Detecting worm propagation using traffic concentration analysis and inductive learning. In: Yang, Z.R., Yin, H., Everson, R.M. (eds.) IDEAL 2004. LNCS, vol. 3177, pp. 402–408. Springer, Heidelberg (2004)
Park, B., Won, Y.J., Choi, M.-J., Kim, M.-S., Hong, J.W.: Empirical analysis of application-level traffic classification using supervised machine learning. In: Ma, Y., Choi, D., Ata, S. (eds.) APNOMS 2008. LNCS, vol. 5297, pp. 474–477. Springer, Heidelberg (2008)
Plattner, B., Wagner, A., Dübendorfer, T.: In search of a vaccine against distributed denial of service attacks (ddosvax) (2003)
Project, T.H.: The honeynet project & research alliance: Know your enemy: Tracking botnets. Technical report (March 13, 2004)
Singh, S., Estan, C., Varghese, G., Savage, S.: The earlybird system for real-time detection of unknown worms. In: ACM - Workshop on Hot Topics in Networks (HOTNETS) (2003)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the internet in your spare time (May 14, 2002)
Wagner, A., Plattner, B.: Entropy based worm and anomaly detection in fast ip networks. In: WETICE - Security Technologies (STCA) Workshop (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Roche, V.P., Arronategui, U. (2009). Behavioural Characterization for Network Anomaly Detection. In: Gavrilova, M.L., Tan, C.J.K., Moreno, E.D. (eds) Transactions on Computational Science IV. Lecture Notes in Computer Science, vol 5430. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-01004-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-01004-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-01003-3
Online ISBN: 978-3-642-01004-0
eBook Packages: Computer ScienceComputer Science (R0)