Flow based observations from NETI@home and honeynet data

Author

Grizzard, Julian B. ; Simpson, Charles R., Jr. ; Krasser, Sven ; Owen, Henry L. ; Riley, George F.

Author_Institution

Sch. of Electr. & Comput. Eng., Georgia Inst. of Technol. Atlanta, USA

fYear

2005

Firstpage

244

Lastpage

251

Abstract

We conduct a flow based comparison of honeynet traffic, representing malicious traffic, and NETI@home traffic, representing typical end user traffic. We present a cumulative distribution function of the number of packets for a TCP flow and learn that a large portion of these flows in both datasets are failed and potentially malicious connection attempts. Next, we look at a histogram of TCP port activity over large time scales to gain insight into port scanning and worm activity. One key observation is that new worms can linger on for more than a year after the initial release date. Finally, we look at activity relative to the IP address space and observe that the sources of malicious traffic are spread across the allocated range.

Keywords

Internet; invasive software; packet switching; telecommunication network routing; telecommunication security; telecommunication traffic; transport protocols; IP address; Internet; NETI@home data; NETI@home traffic; TCP flow; TCP port activity; computer worms; cumulative distribution function; end user traffic; flow based observations; honeynet data; honeynet traffic; malicious connection attempts; malicious traffic; packets; port scanning; worm activity; Computer worms; Distribution functions; Histograms; IP networks; Internet; Software packages; Space technology; Statistics; TCPIP; Telecommunication traffic;

fLanguage

English

Publisher

ieee

Conference_Titel

Information Assurance Workshop, 2005. IAW '05. Proceedings from the Sixth Annual IEEE SMC

Print_ISBN

0-7803-9290-6

Type

conf

DOI

10.1109/IAW.2005.1495959

Filename

1495959