Analysis of TCP flow data for traffic anomaly and scan detection

Author

Muraleedharan, N.

Author_Institution

Centre for Dev. of Adv. Comput., Bangalore, India

fYear

2008

fDate

12-14 Dec. 2008

Firstpage

1

Lastpage

4

Abstract

Scanning tools are commonly used by intruders for identifying vulnerable hosts and applications in a network. So from security perspective, to identify the attack in its initial stage and to minimize the impact of attack, it is important to detect scanning activities in a network. We have mainly considered TCP flow because most of the Internet application uses it as a transport protocol. Traditionally, TCP scan traffic detection uses either flag values in the TCP packet header or statistical properties of the connection parameter like number of failed connection attempts. In this paper, we present a novel behaviour analysis of TCP traffic, where by using the flow characteristics, we identify anomalies and scan activities in a network or host. The proposed method provides a generic solution to SYN scan (half open), connect scan, FIN scan, Xmas scan and null scan. Results obtained from our method prove the detection capabilities and accuracy.

Keywords

Internet; telecommunication security; telecommunication traffic; transport protocols; FIN scan; Internet; SYN scan; TCP flow data; TCP packet header; Xmas scan; behaviour analysis; connect scan; null scan; scan traffic detection; telecommunication security; traffic anomaly; transport protocols; Cities and towns; Computer networks; Data flow computing; Data security; Internet; Level measurement; TCPIP; Telecommunication traffic; Transport protocols; Viruses (medical);

fLanguage

English

Publisher

ieee

Conference_Titel

Networks, 2008. ICON 2008. 16th IEEE International Conference on

Conference_Location

New Delhi

ISSN

1556-6463

Print_ISBN

978-1-4244-3805-1

Type

conf

DOI

10.1109/ICON.2008.4772645

Filename

4772645