Abstract
Network Address Translation (NAT) is a technique commonly employed in today’s computer networks. NAT allows multiple devices to hide behind a single IP address. From a network management and security point of view, NAT may not be desirable or permitted as it allows rogue and unattended network access. In order to detect rogue NAT devices, we propose a novel passive remote source NAT detection approach based on behavior statistics derived from NetFlow. Our approach utilizes 9 distinct features that can directly be derived from NetFlow records. Furthermore, our approach does not require IP address information, but is capable of operating on anonymous identifiers. Hence, our approach is very privacy friendly. Our approach requires only a 120 seconds sample of NetFlow records to detect NAT traffic within the sample with a lower-bound accuracy of 89.35%. Furthermore, our approach is capable of operating in real-time.
Chapter PDF
Similar content being viewed by others
References
Egevang, K., Francis, P.: The IP Network Address Translator (NAT). Request For Comments 1631, Informational (1994)
Cisco Systems Inc.: NetFlow Services Solutions Guide. Internet resource, http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.html
Claise, B., Bryant, S., Leinen, S., Dietz, T., Trammell, B.H.: Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of IP Traffic Flow Information. Request For Comments 5101 (Proposed Standard) (2007)
Boser, B.E., Guyon, I.M., Vapnik, V.N.: A training algorithm for optimal margin classifiers. In: Proceedings of the Fifth Annual Workshop on Computational Learning Theory, COLT 1992, pp. 144–152. ACM, New York (1992)
Dyer, K., Coull, S., Ristenpart, T., Shrimpton, T.: Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 332–346 (2012)
Li, P., Wang, Y., Tao, X.: A Semi-Supervised Network Traffic Classification Method Based on Incremental Learning. In: Lu, W., Cai, G., Liu, W., Xing, W. (eds.) Proceedings of the 2012 International Conference on Information Technology and Software Engineering. LNEE, vol. 211, pp. 955–964. Springer, Heidelberg (2013)
Tabatabaei, T., Karray, F., Kamel, M.: Early internet traffic recognition based on machine learning methods. In: 2012 IEEE Canadian Conference on Electrical Computer Engineering (CCECE), pp. 1–5 (2012)
Francois, J., Wagner, C., State, R., Engel, T.: SAFEM: Scalable analysis of flows with entropic measures and SVM. In: 2012 IEEE Network Operations and Management Symposium (NOMS), pp. 510–513 (2012)
Hsu, C.H., Huang, C.Y., Chen, K.T.: Fast-Flux Bot Detection in Real Time. In: Jha, S., Sommer, R., Kreibich, C. (eds.) RAID 2010. LNCS, vol. 6307, pp. 464–483. Springer, Heidelberg (2010)
Barthakur, P., Dahal, M., Ghose, M.: A Framework for P2P Botnet Detection Using SVM. In: 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 195–200 (2012)
Quinlan, J.R.: C4.5: programs for machine learning, vol. 1. Morgan Kaufmann (1993)
Rosenberg, J., Manhy, R., Matthews, P., Wing, D.: Session Traversal Utilities for NAT (STUN). Request For Comments 5389 (Proposed Standard) (2008)
Wei, Y., Yamada, D., Yoshida, S., Goto, S.: A New Method for Symmetric NAT Traversal in UDP and TCP. Network 4, 8 (2008)
Bellovin, S.M.: A technique for counting natted hosts. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, IMW 2002, pp. 267–272. ACM, New York (2002)
Bi, J., Zhang, M., Zhao, L.: Security enhancement by detecting network address translation based on instant messaging. In: Zhou, X., Sokolsky, O., Yan, L., Jung, E.-S., Shao, Z., Mu, Y., Lee, D.C., Kim, D.Y., Jeong, Y.-S., Xu, C.-Z. (eds.) EUC Workshops 2006. LNCS, vol. 4097, pp. 962–971. Springer, Heidelberg (2006)
Kohno, T., Broido, A., Claffy, K.C.: Remote Physical Device Fingerprinting. IEEE Transactions on Dependable Secure Computing 2(2), 93–108 (2005)
Schulz, S., Sadeghi, A.R., Zhdanova, M., Mustafa, H., Xu, W., Varadharajan, V.: Tetherway: a framework for tethering camouflage. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, WISEC 2012, pp. 149–160. ACM, New York (2012)
Krmíček, V., Vykopal, J., Krejčí, R.: Netflow Based System for NAT Detection. In: Co-Next Student Workshop 2009: Proceedings of the 5th International Student Workshop on Emerging Networking Experiments and Technologies, pp. 23–24 (2009)
Steinberger, J., Schehlmann, L., Abt, S., Baier, H.: Anomaly detection and mitigation at Internet scale: A survey. In: Proceedings of the 7th International Conference on Autonomous Infrastructure, Management and Security (AIMS 2013). Springer (2012)
Rui, L., Hongliang, Z., Yang, X., Yixian, Y., Cong, W.: Remote NAT Detect Algorithm Based on Support Vector Machine. In: International Conference on Information Engineering and Computer Science, ICIECS 2009, pp. 1–4 (2009)
Rui, L., Hongliang, Z., Yang, X., Shoushan, L., Yixian, Y., Cong, W.: Passive NATted Hosts Detect Algorithm Based on Directed Acyclic Graph Support Vector Machine. In: International Conference on Multimedia Information Networking and Security, MINES 2009, vol. 2, pp. 474–477 (2009)
Platt, J.C., Cristianini, N., Shawe-taylor, J.: Large Margin DAGs for Multiclass Classification. In: Advances in Neural Information Processing Systems, pp. 547–553. MIT Press (2000)
Xu, J., Fan, J., Ammar, M., Moon, S.B.: On the design and performance of prefix-preserving IP traffic trace anonymization. In: Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement, IMW 2001, pp. 263–266. ACM, New York (2001)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Abt, S., Dietz, C., Baier, H., Petrović, S. (2013). Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow. In: Doyen, G., Waldburger, M., Čeleda, P., Sperotto, A., Stiller, B. (eds) Emerging Management Mechanisms for the Future Internet. AIMS 2013. Lecture Notes in Computer Science, vol 7943. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-38998-6_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-38998-6_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-38997-9
Online ISBN: 978-3-642-38998-6
eBook Packages: Computer ScienceComputer Science (R0)