Network Anomaly Detection through Traffic Measurement
|
|
- Claire Goodwin
- 8 years ago
- Views:
Transcription
1 Network Anomaly Detection through Traffic Measurement Yuming Jiang, Zhihua Jin, Atef Abdelkefi, Magnus Ask, Helge Skrautvol Abstract With the growth of the Internet, an increase in network anomalies is inevitable. The anomalies may be due to equipment failures, network mis-configurations, or attacks. The attacks can range from simple port scans to sophisticated DDoS attacks. To detect anomalies through traffic measurement, a number of approaches have been proposed. These approaches can be generally put into three categories, namely visualization based, behavior based, and traffic volume based approaches. This article provides an introduction to these categories of approaches, each with focus on a specific approach in the category. Introduction The Internet is becoming larger in size and faster in speed. With the support of technology development, the Internet extends wider and penetrates deeper into our lives. As a result, the amount of its traffics grows explosively, and the variety of the network services increases rapidly as well. Such enormous amount and complex composition of traffic poses a great challenge to network management. In addition, with the growth of the Internet, an increase in network anomalies has become inevitable. The anomalies may be due to equipment failures, network mis-configurations, or attacks. In networking, an event that deviates from the normal network behavior is considered as a network anomaly. The attacks can range from simple port scans to sophisticated DDoS (distributed denial-of-service) attacks. These further increase the difficulty of network management. In order to manage a network, the traffic going through it has to be well understood. To do so, the network traffic has to be measured and analyzed. For traffic measurement, there are two ways in general. One is to capture only the network properties of the traffic without the payload, by which the main traffic flow information is recorded. The other is to capture all information of the traffic including the payload, basically the whole packets of the traffic of interest. Apparently, the latter can provide more information than the former for analysis. However, in practice, while the packet based methods may be implemented in end systems say for security protection, it is hard or indeed unrealistic to have them implemented in the network, due to legal issues and huge costs in maintaining and analyzing the tremendous amount of measurement data. As a matter of fact, even for the flow based methods, the resulting amount of traffic measurement data can still be huge. In this article, the focus is on flow-based traffic measurement. Specifically, NetFlow traffic measurement is considered. For network anomaly detection through traffic measurement, many approaches have been proposed in the literature, which can be put into three categories. One is visualization based approaches, another is behavior based approaches, and the third is traffic volume based approaches. The purpose of this article is to provide an overview of these three categories of approaches. For each category, a representative approach is introduced. The content of this article is partially based on, and the figures are taken from [1][2][3]. The structure of this article is as follows. Traffic measurement basics, particularly NetFlow traffic measurement, and network anomaly basics are first introduced in the next section. Then, the three categories of approaches are introduced
2 together with a representative approach for each category. Discussion and summary are provided in the last section. Figure 1. NetFlow architecture Traffic Measurement and Network Anomaly Basics NetFlow Traffic Measurement NetFlow is a method and protocol, initially developed by Cisco and having evolved to become an IETF standard called IP Flow Information Export (IPFIX), which captures IP packets passing by an observation point in a network during a certain time interval, and stores information on a flow basis. All packets belonging to a particular flow have a set of common properties that will interchangeably called attributes or features in this article. The values of some chosen packet attributes are used to distinguish a flow from the others, while other attribute values are aggregated to reflect the characteristics of a flow. Figure 1 shows the architecture of NetFlow, which consists of three logical components, namely NetFlow Exporter, Collector and Analyzer. A NetFlow exporter is a NetFlow-technology-enabled router deployed at a certain observation point in the network. It captures bypassing packets, classifies them into flow records in its local cache, and exports the finished flow records to NetFlow collectors. A NetFlow collector is a server equipped with a NetFlow collection software that provides a daemon service listening on the network. Whenever the flow records exported by the exporter arrive at the collector, the daemon program receives the records and stores them onto the hard disk. A NetFlow analyzer is usually a server with NetFlow analysis software installed. Such software converts the binary raw flow data into human readable format. The software also provides analysis functionalities typically with human-computer interface that allows the human user to make use of the data. Figure 1 shows the relationship between each component and their functionalities. With NetFlow, when a new packet arrives, the Exporter router first determines whether it belongs to any of the current flow entries in the system. Typically, seven features are used to uniquely identify a flow as depicted in Figure 2, which are the source address and port number, ingress interface, destination address and port number, network layer protocol and type of service (TOS). If the new packet does not belong to any existing flow, a new flow entry containing the values of the chosen properties of the packet is created. If the packet belongs to an existing flow entry, the router updates the measurement data for this flow. The measurement data include the accumulated traffic amount in number of packets and in number of bytes of this flow. Note that, the payload of the packet is not recorded in NetFlow data.
3 Figure 2. Flow identification In addition to packet and byte counting, NetFlow has two time counters for each flow entry. One records the time interval between the current packet and the previous packet, and the other records the total duration of the flow. Once reaching a pre-defined threshold, the flow entry is marked as finished, even though the actual transmission within the flow is still active. While a NetFlow record can contain a wide variety of information about the traffic in a given flow, it commonly includes the abovementioned seven features, number of bytes and packets observed in the flow, and timestamps for the flow start and finish time, in milliseconds. Network Anomalies A network anomaly is often a sudden and short lived deviation from the normal operation of the network. While some anomalies are simply caused by accidents related to network equipment or link failures, the others are caused by malicious intrusions. In this article, we focus on the latter category of network anomalies which has several types. To facilitate the discussion, we first review the concept of botnet. A botnet is a network comprised of compromised computers called bots, which are controlled by other computers in the network. Those controlling computers, which are called command and control (C&C) servers or simply controllers, use certain network communication links to send commands to the bots. The corresponding communication links are called C&C links. The controllers are in direct contact with the bots. Due to this, they may expose themselves too much and easily get caught. Thus normally, the controllers are also compromised computers instead of the real bot herder. Figure 3 shows a basic botnet architecture, where the number of controllers can be more than one and even organized in several layers in order to hide the bot herder better. Characterized as stealthy, organized and profit-driven, botnets are capable of performing various malicious tasks from sending spam to operating large phishing systems. Botnets as a collection of the organized compromised computers in the networks may perform almost all typical kinds of malicious activities.
4 Figure 3. Basic botnet architecture Like any criminal organization, malicious tasks performed by botnets typically have four stages: reconnaissance, propagation, communication, and finally attack. Each stage involves certain malicious activities, such as scanning for reconnaissance, spam relay and malware distribution for propagation, C&C link for communication, and finally causing DoS for attack. In the following, we review several such anomalies. Scanning: Scanning is the activity that scanners, i.e. computers connected to the network, try to find potential vulnerable computers that could be further exploited on the network. Usually the number of scanners is much smaller than the number of victims for cost-efficiency reasons, and the time duration of scanning is short. In general there are two basic types of scanning. One targets IP address and the other targets port number in TCP or UDP headers. IP address based scannings, also known as IP sweeps, attempt to find vulnerable computers within a network block. Such scans often result in traffic flows with very few different source IP addresses but a lot of different destination IP addresses within the network block. Port scans, i.e. port number based scannings, attempt to find vulnerable services, or TCP/UDP ports, opened on targeted computers. They leave main traces in the traffic flows characterized by very few different source IP addresses but many different destination port numbers. In addition, other properties of the flows are usually the same or very similar. Port sweeps are similar to IP sweeps or port scans. While all will scan multiple hosts or targeted IP addresses, a port sweep only scans for a specific listening TCP/UDP port. DoS / DDoS: DoS attack is the activity that attackers, which are also computers connected to the network, try to exhaust computer resources or network bandwidth of a targeted victim system, in order to prevent it from providing services to legitimate users. The resulting effect of DoS attack mainly depends on its impact on the target and its similarity to legitimate traffics. In other words, it generally cumulates as many attackers as possible to send a large enough amount of legitimate service requests to the targets per time unit in order to exhaust their capacities. Effective DoS attacks usually lead to traffic flows with a lot of different source IP addresses but only very few different destination IP addresses. For this reason, they are called Distributed DoS (DDoS) attacks. In addition, like scanning, other properties of the flows are usually the same or very similar. Flash Crowds: Flash crowd is very similar to DDoS. It is characterized by an unusually high amount of traffic from a set of IPs. Contrary to DDoS, however, a flash crowd is not a result of malicious activity. With the rise of social network sites and websites where users can share interesting hyperlinks with each other,
5 there are situations where people from all over the world access a particular site during the same time interval. This effect can cause websites to load very slowly or even go down entirely. Flash crowd differs from DDoS in the amount of different IPs observed in the anomaly. While a botnet used for DDoS attacks can be of a very large size, they are normally eclipsed by sheer amount of IPs present in a flash crowd. C&C Link: C&C links are not such harmful threats by themselves unless they are exploited to organize the bots to perform malicious activities. Via the C&C links, hundreds of thousands of bots form a powerful army under the control of bot herders. Without such C&C links, the bots can do little. In addition, the C&C link is the key to trace back to both the controllers and the bots, which is the first step to clean up the infected computers in order to diminish the scale of botnets and mitigate the effect of their attacks. Therefore, C&C links are considered the weakest part of botnets. Most of the time, a C&C link is used for the following tasks. First, the bots need it to update their malware in order to perform specific malicious activities. Second, the controllers need it for sending keep-alive signals to keep in touch with their bots. Third, the controllers need it to send specific commands to their bots in order to launch destined malicious activities. The first two tasks imply some periodic traffic pattern, by which, C&C links may be detected. Visualization Based Approaches In general, human beings have very special perception capabilities which are way beyond the performance of any of the state-of-the-art artificial intelligence (AI) algorithms in discovering patterns. On the other hand, the major advantage of computers over human beings is its high speed in executing pre-defined computational tasks. Combining the discovery capability of human beings and the fast computing capability of computers, we can have a problem solving system. The system is comprised of the computer and the human user. In network anomaly detection, the computer generates visual images of the NetFlow measurement data for the human user to discover malicious activities hidden in the data. In each analysis cycle the human user gives feedbacks to the computer in order to get more desirable visual images that lead to a step forward towards the objective. Figure 4. Reference model of visualization Figure 4 depicts the processing flow of computer and the perceptual flow of human being, illustrating a reference model of the visualization. Starting from the raw data, the computer first dumps the raw data to the data table where each row may represent a data record, and each column represent a property of the data record. Any data that can be converted to such form of data table is called table data, so does the NetFlow data in our case. The data table can also be acquired indirectly by applying a pre-processing on the raw data. For
6 example, linear transformations such as fast Fourier transform (FFT), dimension reduction methods such as principal component analysis (PCA), clustering algorithms such as multidimensional scaling (MDS), or other semantic procedures that convert the raw data into data tables may be used. Then, the records in the data table are mapped visually to some visual structures such as points, lines, areas, etc., and finally rendered to views displayed in the output device such as a monitor. The perceptual flow of human beings in the right box can be divided into two parts: the vision input by the sight of eyes, and the mental perceptual processing of the brain. Apparently, since the eyes are the only interface to take in the views, the faithfulness of the conversion from the real world view to a mental view becomes critical. After the first step, the human brain takes over further perception according to the reference model of visualization. If the views are carefully designed, the performance can be optimized. In the literature, a number of visualization systems for network anomaly detection exist. As an example of the visualization based approach, Figure 5 shows the temporal pattern of destination IP addresses in a measurement dataset, which is illustrated by a scatter plot, where the y-axis represents destination IP addresses (das), while the x-axis represents the start times (ts) of new flows during the measurement windows. The scatter plot is further rainbow-brushed by source IP address (sas), and flows coming from different source IP addresses are brushed with different colors. A preliminary observation from Figure 5 is that the data points in general form lines in the plot. Horizontal lines suggest that many flows go to a single IP address, which is a common characteristic of a server. Vertical lines indicate that during a very short period of time many flows go to many IP addresses, which is one important characteristic of scanning traffic and worth more examination. In addition, as can be easily observed, the data points forming each vertical line are of the same color, which suggests that a single host or a small group of hosts are sending flows towards many other hosts at the same time. After confirming that the flows forming the vertical lines come from very few hosts, another basic characteristic left is the similarity of their payloads. Indeed, instead of rainbow brushing by sas, rainbow brushing by bpp (bytes per packet) has also been conducted, which shows the consistent color of the data points forming each vertical line, suggesting very identical payload in each such flow. According to the nature of scanning, aided by these visualization helps, we can say that those vertical lines are IP-sweep scannings. In addition, because thick diagonal line lasts for a longer time period, it can be identified as an IP based creepy-crawly scanning. Behavior Based Approaches Analyzing packet header fields is another approach for network anomaly detection. Most anomalies, despite their diversity, induce a change in the distributions across traffic features. For example, a scan implies a dispersed distribution for destination addresses as shown in Figure 5, and a skewed distribution for the destination ports which is concentrated on the port being scanned. In essence, this technique exploits the fact that anomalies can be treated as events that disturb the distribution of traffic features.
7 Figure 5. Scatter plot - das vs ts with rainbow brushing by bpp Table 1 lists the traffic feature distributions that are typically affected by a certain type of anomaly. The behavior based analysis has two key benefits. One is the detection of anomalies that might be hidden in traffic volume. Another is that the impact on traffic feature distributions reveals information about the structure of the anomaly. Table 1. Traffic feature distributions affected Anomaly Definition Traffic feature distributions affected Flash Crowd Unusual burst of traffic to single destination, from a set of sources Destination address Destination port DDoD Large amount of traffic to one destination from lots of sources Destination address Source address Port Scan Probes to many destination ports on a small set of destination addresses Destination address Destination port Port Sweep Scanning for open ports to find vulnerable hosts in a network block Destination address Destination port Several behavior based approaches exist, which exploit the behavioral differences between benign and anomalous traffic. Some of them analyze connection states, while others analyze behavioral features within a packet/flow. Different techniques are often proposed and developed in order to detect different types of anomalies. A commonly used idea is that, within each measurement window or time bin, some statistical measures on the traffic feature distributions are analyzed. Based on the analysis and the nature of a certain type of anomaly, detection decision is then made. Particularly, scan detection has been in the simple form of detecting a number of events within a defined time interval. If this number is greater or lower than a certain pre-defined threshold, it is considered that an
8 anomaly is detected, and the type of the anomaly is found based on the nature of this type of anomaly. For example, in detecting scans, the connection attempt pattern of each source is analyzed. An intuition is that a scan accesses a wide range of destination IP addresses or ports compared to normal behavior. If either the ratio between the number of destination IP addresses and the number of destination ports, or the ratio between the number of destination ports and the number of destination IP addresses, results in a value greatly larger than one, then the source is considered as a scanner. In general, however, it is known that a traffic feature distribution can be high-dimensional. Due to this, classical time series techniques are sometimes difficult to use when directly applied to such distributions. To deal with this challenge, it has been proposed to use the concept of entropy. Entropy is a measure of uncertainty. It is a powerful mathematical tool that can give a compact representation of the traffic feature distribution. Specifically, let X denote a random variable representing the distribution of values of a specific traffic feature. Each X can take n outcomes {xi : i = 1,,n}. The entropy of this random variable is defined as the following, where p(xi) denotes the probability of xi: log To quantitatively compare entropy values across time, the normalized entropy is used, which is defined as: For each of the traffic features used in the analysis, the probabilities, p(xi), i=1,, n, are estimated by the number of each outcome divided by the total number n of outcomes in an observed measurement window. Let us take destination IP address as the traffic feature as an example. Then, within a certain measurement time bin, the total number of distinct destination addresses observed in the time bin is found, which is n. In addition, for each distinct destination address xi, its probability p(xi) is estimated by: To exemplify the use of the entropy based technique, Figure 6 illustrates entropy curves of five selected traffic features, which are destination address, destination port, source address, source port, and flow size distribution, during a period where simulated scans were injected to a measured network. The y-axis corresponds to the entropy of each traffic feature distribution and the x-axis to the moment in time. The dotted lines in the xyplane correspond to the times when the port scans were injected. Figure 6 shows that the scans are visually clear from the entropy curves. However, when looking at the impact on the different traffic feature distributions, one can see clear differences. The port scans have a greater impact on the source address entropy and source port entropy than the other three features. While this may seem to be in contrast to what is listed in Table 1, it is indeed due to the configuration of the injected port scan. The software used in simulating scans only scans the first thousand ports, which does not introduce a significant concentration or dispersion of the most used ports. This is the reason why the destination port entropy remains stable for a longer time. In addition, the simulated port scan only introduced about 250 destination addresses to the network. This is insignificant in comparison to the total number of destination addresses that can be observed from the measured network. In consequence, the destination address distribution did not get affected in the same degree as the source address and source port distributions did.
9 Figure 6. Entropy (normalized) curves during a period with injected port scans An implication of Figure 6 is that, while Table 1 provides an overview of different types of anomalies and their affected traffic features, using information from the table needs care as discussed above. Particularly, the nature of a port scan needs to be carefully analyzed. As visualized in Figure 6, the indication of a port scan can be seen in the entropy values for source address and source port, not destination port and destination address as suggested by the literature e.g. Table 1. Volume Based Approaches A traffic volume metric essentially relates to the number of flows, the number of packets, or the number of bytes that are sent across the measurement point in the network. The volume metric normally can be easily extracted from the (NetFlow) measurement data. Such extraction is performed depending on the wanted level of aggregation. Normally, three aggregation levels are considered. One is the router level, where the total numbers of flows / packets / bytes that pass by the router. Another is the link level, where such numbers are extracted for a link. The third is flow level, where each flow is identified by the chosen features as shown in Figure 2. With NetFlow, flow level packet and byte volume metrics are immediately found from NetFlow records, if the chosen features are the same as used in NetFlow configuration. Volume based techniques allow to see the basic traffic behavior in the network. As an example, Figure 7 illustrates (or visualizes) how the number of packets, measured in a time interval with fixed length, changes over time. An abrupt change (i.e. either an increase or decrease in volume) in one of these metrics might lead to the conclusion that a volume anomaly occurred. A volume metric can be used as a parameter in a statistical detection system that derives a model from normal network behavior and detects deviations from the normal profile. Statistical techniques have been applied to detect volume based anomalies. Among these, the Principal Component Analysis (PCA) is a representative one. This is due to three reasons compared to other methods. First, the meaning of PCA is relatively intuitive. It tries to find an orientation in the high-dimensional space along which the data should be projected,. Second, the algorithm for PCA is systematic and could be very efficiently carried out by a computer. It is considered
10 one of the fastest multidimensional reduction methods. Third, PCA has been used for over a century since its invention in 1901 by Karl Pearson. As one of the most popularly used exploratory data analysis methods, it is proven reliable to find the principal components of the data under three main assumptions. First, the data is linear composition of certain basis. Second, the data has Gaussian properties in which statistical characteristics such as mean and covariance are important to depict the data. Third, large variances have important dynamics. Figure 7. An example of packet count over time A foundation of PCA is that it seeks the best rank-k estimate E of a data matrix X by solving: where 2 denotes the l 2 -norm. It is worth highlighting that here, the rank k has to be known a priori. However, this requirement can hardly be met in real network environments. In addition, the problem is a least square problem. It is well-known that, while the least square gives optimal results in the presence of Gaussian noise (e.g., low and medium intensity attacks), it has been proven that it s very sensitive to the outliers (known as high intensity attacks). This is mainly due to the fact that it is an l 2 -norm fitting problem, leading to the low-rank subspace poisoning phenomenon. This phenomenon depicts the deviation of the principal components from the true distribution of the data toward even a low fraction of outliers. As a consequence, shifted principal components lead to a perturbation in the low-rank subspace, resulting in inaccurate detection and high false positive rates. Another finding concerning the PCA sensitivity is that it comes from the inability of PCA to detect temporal correlations. Based on this finding, an extension of PCA to Kalman-Loeve expansion (KLE) has been proposed. In order to make the detection robust to the poisoning phenomenon and without a priori requirement for the calibration setting, another approach, called principal component pursuit (PCP), has been considered. A key idea behind PCP is that the real traffic data, X, includes an unknown fraction of normal traffic, N, while the remaining fraction is corrupted by different types of anomalies, A. Since normal traffic is known to be low rank and anomalies to be temporally localized or sparse in time, an anomaly detector aims to decompose the observed traffic data into these two components and essentially to solve:, su ject to rank This optimization problem is however NP-hard. Based on recent advances in convex optimization theory, it has been proven that the nuclear norm, i.e, the sum of singular values, exactly recovers the low rank component, while the l1 norm, i.e, the sum of absolute values, exactly recovers the sparse component with a
11 remarkable robustness to the outliers in comparison to the l2 norm. Accordingly, the above optimization problem can be solved using the Principal Component Pursuit defined as: su ject to where X denotes the traffic data, * denotes the nuclear norm of the normal data traffic matrix N and λ is a weighting parameter. The term A 1 is the PCP residual. This new optimization problem is convex, and different solvers are available such as the Augmented Lagrange Multiplier (ALM) solver. In addition, while one might expect that the scalar λ has to be properly chosen to balance the two terms, the literature has suggested some value of the scalar, which has been tested to provide appealing performance, making the detection free of tuning parameters. Figure 8. Receiver operating characteristic (ROC) curves of PCA, KLE and PCP To demonstrate the performance of PCA and KLE versus PCP-based anomaly detection, Figure 8 is presented. It is clear from the figure that PCP has better performance. Particularly PCP experiences a stable performance of 100 % detection rate at a false alarm rate of 21%, compared to 61% detection rate for PCA and 55% for KLE at the same false positive rate, from the considered measurement dataset. Discussion and Summary Extensive research has been conducted in the past few years to find effective and well functioning anomaly detection approaches. These approaches can be generally put into three categories, namely visualization based, behavior based, and traffic volume based approaches. In this article, these categories have been briefly discussed, each with a specific approach introduced. A distinguishing property of visualization ased approaches is that they ena le us to directly see a normal network activities in the network. The discussion in this article indicates that with suitable visualization techniques, it is possible to distinguish network anomalies from massive background traffics by using visual patterns to which the human visual perception system is sensitive and can thus process efficiently. In addition, visualization has indeed also been (implicitly) used in the other two categories of approaches, e.g. in Figures 6-8. Conversely, the analytical techniques used in behavior or volume based approaches may be adopted in visualization based approaches for pre-attentive processing, so that the detected anomalies are easily recognized by human perception. A drawback of visualization based approaches is the high requirement on the domain knowledge, e.g. network anomalies, their behaviors, their impact on the measurement data and the interpretation of a visualized view of results, in addition to a deep understanding of the visualization techniques and their use.
12 Behavior based approaches are typically built upon analyzing traffic feature distributions. One of the main reasons for making use of entropy is its ability to give a compact representation of the distributional changes, capturing a distributional change in a single value. An entropy time series enables to see the changes over time. In addition, by investigating such entropy time series for related traffic features, the type of detected anomaly may be further decided. While the entropy based approach has been shown to be a good option for anomaly detection, its applicability is highly affected how much of the total traffic is due to network anomalies. In fact, the entropy curves in Figure 6 were produced with a very high thinning factor for the normal traffic, that is, significant part of the normal traffic was excluded in the entropy calculation [2]. This implies that for backbone networks where the traffic is huge and the anomaly traffic ratio is relatively low, then careful investigation is needed to apply the entropy based approach. The most direct volume based approaches, which are solely based on packet / byte / flow count as in Figure 7, have been shown successful in isolating traffic changes. Usually, this requires that the amount of anomaly traffic is significant. However, there are many network scenarios where a large number of anomalies only generate small amounts of traffic compared to the total traffic volume in the network. In addition, if the ratio of anomaly traffic decreases below some threshold, such direct volume based approaches will no longer be effective, the same as for the entropy based approach discussed above. To this end, PCA has been introduced to anomaly detection through traffic measurement. The PCA approach not only provides dimension reduction but also works well for the scenarios where significant traffic volume is less seen. In addition, to further cope with the sensitivity challenge inherent in PCA, the PCP approach has been introduced to network anomaly detection. Recent results show appealing performance of PCP in reaching the goal. Note that PCA and its variations are typically based on matrix analysis where traffic records over time are arranged in such a way that some implicit traffic volume patterns can be subtracted, forming the principal components or subspace to decouple the traffic into normal and abnormal parts. This implies that PCA or PCP analysis is not done for each measurement time bin as opposed to most behavior based or the direct volume based approaches. Consequently, on-line real time application of PCA and PCP approaches for anomaly detection is not straightforward. In summary, the three discussed categories of network anomaly detection approaches have their advantages and disadvantages. For different purposes, e.g. on-line or off-line analysis, different approaches may be preferred. In addition, combining some of the approaches can give additional benefit to anomaly detection. References [1] Zhihua Jin. Visualization of Network Traffic to Detect Malicious Network Activity. Master thesis. Department of Telematics, NTNU. July (Supervised by Yuming Jiang) [2] Magnus Ask, and Helge Skrautvol. Internet Attack Simulation: Empirical Evaluation of the Entropy Boundaries for Network Anomaly Detection. Project Report, Department of Telematics, NTNU. January, (Supervised by Yuming Jiang and Atef Abdelkefi) [3] Atef Abdelkefi, Yuming Jiang, Wei Wang, Arne Aslebo, and Olav Kvittem. Robust Traffic Anomaly Detection with Principal Component Pursuit. ACM CoNEXT Student Workshop, Nov 2010.
Detecting Network Anomalies. Anant Shah
Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting
More informationConclusions and Future Directions
Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions
More informationA Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationNSC 93-2213-E-110-045
NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends
More informationINCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS
WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by
More informationNemea: Searching for Botnet Footprints
Nemea: Searching for Botnet Footprints Tomas Cejka 1, Radoslav Bodó 1, Hana Kubatova 2 1 CESNET, a.l.e. 2 FIT, CTU in Prague Zikova 4, 160 00 Prague 6 Thakurova 9, 160 00 Prague 6 Czech Republic Czech
More informationAgenda. Taxonomy of Botnet Threats. Background. Summary. Background. Taxonomy. Trend Micro Inc. Presented by Tushar Ranka
Taxonomy of Botnet Threats Trend Micro Inc. Presented by Tushar Ranka Agenda Summary Background Taxonomy Attacking Behavior Command & Control Rallying Mechanisms Communication Protocols Evasion Techniques
More informationDDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR
Journal homepage: www.mjret.in DDOS WALL: AN INTERNET SERVICE PROVIDER PROTECTOR Maharudra V. Phalke, Atul D. Khude,Ganesh T. Bodkhe, Sudam A. Chole Information Technology, PVPIT Bhavdhan Pune,India maharudra90@gmail.com,
More informationFirewalls and Intrusion Detection
Firewalls and Intrusion Detection What is a Firewall? A computer system between the internal network and the rest of the Internet A single computer or a set of computers that cooperate to perform the firewall
More informationIntroducing IBM s Advanced Threat Protection Platform
Introducing IBM s Advanced Threat Protection Platform Introducing IBM s Extensible Approach to Threat Prevention Paul Kaspian Senior Product Marketing Manager IBM Security Systems 1 IBM NDA 2012 Only IBM
More informationRole of Anomaly IDS in Network
Role of Anomaly IDS in Network SumathyMurugan 1, Dr.M.Sundara Rajan 2 1 Asst. Prof, Department of Computer Science, Thiruthangal Nadar College, Chennai -51. 2 Asst. Prof, Department of Computer Science,
More informationBotnet Detection Based on Degree Distributions of Node Using Data Mining Scheme
Botnet Detection Based on Degree Distributions of Node Using Data Mining Scheme Chunyong Yin 1,2, Yang Lei 1, Jin Wang 1 1 School of Computer & Software, Nanjing University of Information Science &Technology,
More informationFlow Based Traffic Analysis
Flow based Traffic Analysis Muraleedharan N C-DAC Bangalore Electronics City murali@ncb.ernet.in Challenges in Packet level traffic Analysis Network traffic grows in volume and complexity Capture and decode
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationSelected Topics of IT Security (41.4456) Seminar description
Selected Topics of IT Security (41.4456) Seminar description Sebastian Abt, Frank Breitinger April 3, 2012 1 Introduction The lecture and accompanying seminar target at master-level students interested
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationHOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
More informationResearch on Errors of Utilized Bandwidth Measured by NetFlow
Research on s of Utilized Bandwidth Measured by NetFlow Haiting Zhu 1, Xiaoguo Zhang 1,2, Wei Ding 1 1 School of Computer Science and Engineering, Southeast University, Nanjing 211189, China 2 Electronic
More informationHillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis
Hillstone T-Series Intelligent Next-Generation Firewall Whitepaper: Abnormal Behavior Analysis Keywords: Intelligent Next-Generation Firewall (ingfw), Unknown Threat, Abnormal Parameter, Abnormal Behavior,
More informationCisco IOS Flexible NetFlow Technology
Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application
More informationNetwork Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC) james@cert.org.tw
Network Monitoring On Large Networks Yao Chuan Han (TWCERT/CC) james@cert.org.tw 1 Introduction Related Studies Overview SNMP-based Monitoring Tools Packet-Sniffing Monitoring Tools Flow-based Monitoring
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationA Critical Investigation of Botnet
Global Journal of Computer Science and Technology Network, Web & Security Volume 13 Issue 9 Version 1.0 Year 2013 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals
More informationIndex Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.
Volume 3, Issue 6, June 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Techniques to Differentiate
More informationLASTLINE WHITEPAPER. Using Passive DNS Analysis to Automatically Detect Malicious Domains
LASTLINE WHITEPAPER Using Passive DNS Analysis to Automatically Detect Malicious Domains Abstract The domain name service (DNS) plays an important role in the operation of the Internet, providing a two-way
More informationKEITH LEHNERT AND ERIC FRIEDRICH
MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More informationThe flow back tracing and DDoS defense mechanism of the TWAREN defender cloud
Proceedings of the APAN Network Research Workshop 2013 The flow back tracing and DDoS defense mechanism of the TWAREN defender cloud Ming-Chang Liang 1, *, Meng-Jang Lin 2, Li-Chi Ku 3, Tsung-Han Lu 4,
More informationDetecting UDP attacks using packet symmetry with only flow data
University of Twente Department of Electrical Engineering, Mathematics an Computer Science Chair for Design and Analysis of Communication Systems Detecting UDP attacks using packet symmetry with only flow
More informationAnalysis of Network Beaconing Activity for Incident Response
Analysis of Network Beaconing Activity for Incident Response FloCon2008 Peter Balland, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department of Energy by under
More informationEvaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation
Evaluating Intrusion Detection Systems without Attacking your Friends: The 1998 DARPA Intrusion Detection Evaluation R. K. Cunningham, R. P. Lippmann, D. J. Fried, S. L. Garfinkel, I. Graf, K. R. Kendall,
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationNetwork-based Modeling of Assets and Malicious Actors
Network-based Modeling of Assets and Malicious Actors Christopher Kruegel Computer Security Group MURI Meeting Santa Barbara, August 23-24, 2010 Motivation Thrust I: Obtaining an up-to-date view of the
More informationDecoding DNS data. Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs
Decoding DNS data Using DNS traffic analysis to identify cyber security threats, server misconfigurations and software bugs The Domain Name System (DNS) is a core component of the Internet infrastructure,
More informationAdaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks
Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu
More informationFirst Line of Defense
First Line of Defense SecureWatch ANALYTICS FIRST LINE OF DEFENSE OVERVIEW KEY BENEFITS Comprehensive Visibility Gain comprehensive visibility into DDoS attacks and cyber-threats with easily accessible
More informationDetecting peer-to-peer botnets
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: reinier.schoof@os3.nl, ralph.koning@os3.nl February 4, 2007 1 Introduction Spam,
More informationCase Study: Instrumenting a Network for NetFlow Security Visualization Tools
Case Study: Instrumenting a Network for NetFlow Security Visualization Tools William Yurcik* Yifan Li SIFT Research Group National Center for Supercomputing Applications (NCSA) University of Illinois at
More informationThe Advantages of a Firewall Over an Interafer
FIREWALLS VIEWPOINT 02/2006 31 MARCH 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to the Centre for the Protection
More informationAdaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback
Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow Correlation Coeff icient with Collective Feedback N.V.Poorrnima 1, K.ChandraPrabha 2, B.G.Geetha 3 Department of Computer
More informationCHAPTER 1 INTRODUCTION
21 CHAPTER 1 INTRODUCTION 1.1 PREAMBLE Wireless ad-hoc network is an autonomous system of wireless nodes connected by wireless links. Wireless ad-hoc network provides a communication over the shared wireless
More informationService Description DDoS Mitigation Service
Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3
More informationINTRUSION PREVENTION AND EXPERT SYSTEMS
INTRUSION PREVENTION AND EXPERT SYSTEMS By Avi Chesla avic@v-secure.com Introduction Over the past few years, the market has developed new expectations from the security industry, especially from the intrusion
More informationDetection of illegal gateways in protected networks
Detection of illegal gateways in protected networks Risto Vaarandi and Kārlis Podiņš Cooperative Cyber Defence Centre of Excellence Tallinn, Estonia firstname.lastname@ccdcoe.org 1. Introduction In this
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationBridging the gap between COTS tool alerting and raw data analysis
Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading
More informationDual Mechanism to Detect DDOS Attack Priyanka Dembla, Chander Diwaker 2 1 Research Scholar, 2 Assistant Professor
International Association of Scientific Innovation and Research (IASIR) (An Association Unifying the Sciences, Engineering, and Applied Research) International Journal of Engineering, Business and Enterprise
More informationExercise 7 Network Forensics
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
More informationPrediction of DDoS Attack Scheme
Chapter 5 Prediction of DDoS Attack Scheme Distributed denial of service attack can be launched by malicious nodes participating in the attack, exploit the lack of entry point in a wireless network, and
More informationPort evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently.
TLP:WHITE - Port Evolution Port evolution: a software to find the shady IP profiles in Netflow. Or how to reduce Netflow records efficiently. Gerard Wagener 41, avenue de la Gare L-1611 Luxembourg Grand-Duchy
More informationWhat a Vulnerability Assessment Scanner Can t Tell You. Leveraging Network Context to Prioritize Remediation Efforts and Identify Options
White paper What a Vulnerability Assessment Scanner Can t Tell You Leveraging Network Context to Prioritize Remediation Efforts and Identify Options november 2011 WHITE PAPER RedSeal Networks, Inc. 3965
More informationNetFlow use cases. ICmyNet / NetVizura. Miloš Zeković, milos.zekovic@soneco.rs. ICmyNet Chief Customer Officer Soneco d.o.o.
NetFlow use cases ICmyNet / NetVizura, milos.zekovic@soneco.rs Soneco d.o.o. Serbia Agenda ICmyNet / NetVizura overview Use cases / case studies Statistics per exporter/interfaces Traffic Patterns NREN
More informationApplying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
More informationIntrusion Forecasting Framework for Early Warning System against Cyber Attack
Intrusion Forecasting Framework for Early Warning System against Cyber Attack Sehun Kim KAIST, Korea Honorary President of KIISC Contents 1 Recent Cyber Attacks 2 Early Warning System 3 Intrusion Forecasting
More informationVisualization of Network Traffic to Detect Malicious Network Activity
Visualization of Network Traffic to Detect Malicious Network Activity Zhihua Jin Master of Science in Communication Technology Submission date: July 2008 Supervisor: Yuming Jiang, ITEM Co-supervisor: Antti
More informationComplete Protection against Evolving DDoS Threats
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
More informationAlienVault. Unified Security Management (USM) 5.x Policy Management Fundamentals
AlienVault Unified Security Management (USM) 5.x Policy Management Fundamentals USM 5.x Policy Management Fundamentals Copyright 2015 AlienVault, Inc. All rights reserved. The AlienVault Logo, AlienVault,
More informationCisco RSA Announcement Update
Cisco RSA Announcement Update May 7, 2009 Presented by: WWT and Cisco Agenda Cisco RSA Conference Announcements Collaborate with Confidence Overview Cisco s Security Technology Differentiation Review of
More informationSecurity Toolsets for ISP Defense
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
More informationWHITE PAPER. Understanding How File Size Affects Malware Detection
WHITE PAPER Understanding How File Size Affects Malware Detection FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through
More informationCYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION
CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationAn Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation
An Efficient Way of Denial of Service Attack Detection Based on Triangle Map Generation Shanofer. S Master of Engineering, Department of Computer Science and Engineering, Veerammal Engineering College,
More informationApplication of Netflow logs in Analysis and Detection of DDoS Attacks
International Journal of Computer and Internet Security. ISSN 0974-2247 Volume 8, Number 1 (2016), pp. 1-8 International Research Publication House http://www.irphouse.com Application of Netflow logs in
More informationA Review of Anomaly Detection Techniques in Network Intrusion Detection System
A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In
More informationThe Coremelt Attack. Ahren Studer and Adrian Perrig. We ve Come to Rely on the Internet
The Coremelt Attack Ahren Studer and Adrian Perrig 1 We ve Come to Rely on the Internet Critical for businesses Up to date market information for trading Access to online stores One minute down time =
More informationRadware s Attack Mitigation Solution On-line Business Protection
Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...
More informationA HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING
A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING AZRUDDIN AHMAD, GOBITHASAN RUDRUSAMY, RAHMAT BUDIARTO, AZMAN SAMSUDIN, SURESRAWAN RAMADASS. Network Research Group School of
More informationBig Data and Cyber Security A bibliometric study Jacky Akoka, Isabelle Comyn-Wattiau, Nabil Laoufi Workshop SCBC - 2015 (ER 2015) 1 Big Data a new generation of technologies and architectures, designed
More informationSocial Media Mining. Data Mining Essentials
Introduction Data production rate has been increased dramatically (Big Data) and we are able store much more data than before E.g., purchase data, social media data, mobile phone data Businesses and customers
More informationAn Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators
An Elastic and Adaptive Anti-DDoS Architecture Based on Big Data Analysis and SDN for Operators Liang Xia Frank.xialiang@huawei.com Tianfu Fu Futianfu@huawei.com Cheng He Danping He hecheng@huawei.com
More informationEVILSEED: A Guided Approach to Finding Malicious Web Pages
+ EVILSEED: A Guided Approach to Finding Malicious Web Pages Presented by: Alaa Hassan Supervised by: Dr. Tom Chothia + Outline Introduction Introducing EVILSEED. EVILSEED Architecture. Effectiveness of
More informationNetwork Management & Monitoring
Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)
More informationGetting Ahead of Malware
IT@Intel White Paper Intel Information Technology Security December 2009 Getting Ahead of Malware Executive Overview Since implementing our security event monitor and detection processes two years ago,
More informationWhite paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.
TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...
More informationWhite Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation
White Paper Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation Table of Contents Introduction... 3 Common DDoS Mitigation Measures...
More informationAn Efficient Methodology for Detecting Spam Using Spot System
Available Online at www.ijcsmc.com International Journal of Computer Science and Mobile Computing A Monthly Journal of Computer Science and Information Technology IJCSMC, Vol. 3, Issue. 1, January 2014,
More informationAdaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints
Adaptive Tolerance Algorithm for Distributed Top-K Monitoring with Bandwidth Constraints Michael Bauer, Srinivasan Ravichandran University of Wisconsin-Madison Department of Computer Sciences {bauer, srini}@cs.wisc.edu
More informationPROFESSIONAL SECURITY SYSTEMS
PROFESSIONAL SECURITY SYSTEMS Security policy, active protection against network attacks and management of IDP Introduction Intrusion Detection and Prevention (IDP ) is a new generation of network security
More informationIntrusion Detection via Machine Learning for SCADA System Protection
Intrusion Detection via Machine Learning for SCADA System Protection S.L.P. Yasakethu Department of Computing, University of Surrey, Guildford, GU2 7XH, UK. s.l.yasakethu@surrey.ac.uk J. Jiang Department
More informationSome Research Challenges for Big Data Analytics of Intelligent Security
Some Research Challenges for Big Data Analytics of Intelligent Security Yuh-Jong Hu hu at cs.nccu.edu.tw Emerging Network Technology (ENT) Lab. Department of Computer Science National Chengchi University,
More informationThe Hillstone and Trend Micro Joint Solution
The Hillstone and Trend Micro Joint Solution Advanced Threat Defense Platform Overview Hillstone and Trend Micro offer a joint solution the Advanced Threat Defense Platform by integrating the industry
More informationFlow Analysis Versus Packet Analysis. What Should You Choose?
Flow Analysis Versus Packet Analysis. What Should You Choose? www.netfort.com Flow analysis can help to determine traffic statistics overall, but it falls short when you need to analyse a specific conversation
More informationWHITE PAPER WHAT HAPPENED?
WHITE PAPER WHAT HAPPENED? ENSURING YOU HAVE THE DATA YOU NEED FOR EFFECTIVE FORENSICS AFTER A DATA BREACH Over the past ten years there have been more than 75 data breaches in which a million or more
More informationNetwork Security. Dr. Ihsan Ullah. Department of Computer Science & IT University of Balochistan, Quetta Pakistan. April 23, 2015
Network Security Dr. Ihsan Ullah Department of Computer Science & IT University of Balochistan, Quetta Pakistan April 23, 2015 1 / 24 Secure networks Before the advent of modern telecommunication network,
More informationAnalysis of a Distributed Denial-of-Service Attack
Analysis of a Distributed Denial-of-Service Attack Ka Hung HUI and OnChing YUE Mobile Technologies Centre (MobiTeC) The Chinese University of Hong Kong Abstract DDoS is a growing problem in cyber security.
More informationSPATIAL DATA CLASSIFICATION AND DATA MINING
, pp.-40-44. Available online at http://www. bioinfo. in/contents. php?id=42 SPATIAL DATA CLASSIFICATION AND DATA MINING RATHI J.B. * AND PATIL A.D. Department of Computer Science & Engineering, Jawaharlal
More informationVisualizing Threats: Improved Cyber Security Through Network Visualization
Visualizing Threats: Improved Cyber Security Through Network Visualization Intended audience This white paper has been written for anyone interested in enhancing an organizational cyber security regime
More informationA LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL
A LITERATURE REVIEW OF NETWORK MONITORING THROUGH VISUALISATION AND THE INETVIS TOOL Christopher Schwagele Supervisor: Barry Irwin Computer Science Department, Rhodes University 29 July 2010 Abstract Network
More informationADDING NETWORK INTELLIGENCE TO VULNERABILITY MANAGEMENT
ADDING NETWORK INTELLIGENCE INTRODUCTION Vulnerability management is crucial to network security. Not only are known vulnerabilities propagating dramatically, but so is their severity and complexity. Organizations
More informationGet Your FIX: Flow Information export Analysis and Visualization
Get Your FIX: Flow Information export Analysis and Visualization Joint Techs Workshop, Madison, Wisconsin, July 19, 2006 Dave Plonka plonka@doit.wisc.edu Division of Information Technology, Computer Sciences
More informationNetwork Traffic Anomalies Detection and Identification with Flow Monitoring
Network Traffic Anomalies Detection and Identification with Flow Monitoring Huy Anh Nguyen, Tam Van Nguyen, Dong Il Kim, Deokjai Choi Department of Computer Engineering, Chonnam National University, Korea
More informationUNMASKCONTENT: THE CASE STUDY
DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...
More informationIntrusion Detection System using Log Files and Reinforcement Learning
Intrusion Detection System using Log Files and Reinforcement Learning Bhagyashree Deokar, Ambarish Hazarnis Department of Computer Engineering K. J. Somaiya College of Engineering, Mumbai, India ABSTRACT
More informationDetecting Flooding Attacks Using Power Divergence
Detecting Flooding Attacks Using Power Divergence Jean Tajer IT Security for the Next Generation European Cup, Prague 17-19 February, 2012 PAGE 1 Agenda 1- Introduction 2- K-ary Sktech 3- Detection Threshold
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationNetFlow Tips and Tricks
NetFlow Tips and Tricks Introduction... 2 NetFlow and other Flow Technologies... 2 NetFlow Tips and Tricks... 4 Tech Tip 1: Troubleshooting Network Issues... 4 Tech Tip 2: Network Anomaly Detection...
More informationMonitoring Large Flows in Network
Monitoring Large Flows in Network Jing Li, Chengchen Hu, Bin Liu Department of Computer Science and Technology, Tsinghua University Beijing, P. R. China, 100084 { l-j02, hucc03 }@mails.tsinghua.edu.cn,
More information