THE frequent attacks on network infrastructure, using various forms of denial of service (DoS) attacks and worms, have led to an increased need for developing techniques for analyzing and monitoring network traffic. If efficient analysis tools were available, it could become possible to detect the attacks, anomalies and take action to suppress them before they have had much time to propagate across the network. In this paper, we study the possibilities of traffic-analysis based mechanisms for attack and anomaly detection. The motivation for this work came from a need to reduce the likelihood that an attacker may hijack the campus machines to stage an attack on a third party. A campus may want to prevent or limit misuse of its machines in staging attacks, and possibly limit the liability from such attacks. In particular, we study the utility of observing packet header data of outgoing traffic, such as destination addresses, port numbers and the number of flows, in order to detect attacks/anomalies originating from the campus at the edge of a campus. Detecting anomalies/attacks close to the source allows us to limit the potential damage close to the attacking machines. Traffic monitoring close to the source may enable the network operator quicker identification of potential anomalies and allow better control of administrative domain’s resources. Attack propagation could be slowed through early detection. Our approach passively monitors network traffic at regular intervals and analyzes it to find any abnormalities in the aggregated traffic. By observing the traffic and correlating it to previous states of traffic, it may be possible to see whether the current traffic is behaving in a similar (i.e., correlated) manner. The network traffic could look different because of flash crowds, changing access patterns, infrastructure problems such as router failures, and DoS attacks. In the case of bandwidth attacks, the usage of network may be increased and abnormalities may show up in traffic volume. Flash crowds could be observed through sudden increase in traffic volume to a single destination. Sudden increase of traffic on a certain port could signify the onset of an anomaly such as worm propagation. Our approach relies on analyzing packet header data in order to provide indications of Possible abnormalities in the traffic.

Tags :
Your rating: None Average: 4.5 (2 votes)