worm blog: Detecting Traffic Anomalies through aggregate analysis of packet header data

« CFP: ACM Symposium on Information, Computer and Communications Security | Main | On Deriving Unknown Vulnerabilities from ZeroDay Polymorphic and Metamorphic Worm Exploits »

Detecting Traffic Anomalies through aggregate analysis of packet header data

On the subject of improved, large scale detection methods and signal processing, this paper presents a way to detect traffic anomalies, which can include worm traffic.

If efficient network analysis tools were available, it could become possible to detect the attacks, anomalies and to appropriately take action to contain the attacks. In this paper, we suggest a technique for traffic anomaly detection based on analyzing correlation of destination IP addresses in outgoing traffic at an egress router. This address correlation data are transformed through discrete wavelet transform for effective detection of anomalies through statistical analysis. Our techniques can be employed for postmortem and real-time analysis of outgoing network traffic at a campus edge. Results from trace-driven evaluation suggest that proposed approach could provide an effective means of detecting anomalies close to the network. We also present data analyzing the correlation of port numbers as a means of detecting anomalies.

Source: Detecting Traffic Anomalies through aggregate analysis of packet header data, by Seong Soo Kim, A. L. Narasimha Reddy, and Marina Vannucci.

September 3, 2005 in detection, papers | Permalink
Tell others: digg submit | del.icio.us this | Reddit