Title :
Analysis of TCP flow data for traffic anomaly and scan detection
Author :
Muraleedharan, N.
Author_Institution :
Centre for Dev. of Adv. Comput., Bangalore, India
Abstract :
Scanning tools are commonly used by intruders for identifying vulnerable hosts and applications in a network. So from security perspective, to identify the attack in its initial stage and to minimize the impact of attack, it is important to detect scanning activities in a network. We have mainly considered TCP flow because most of the Internet application uses it as a transport protocol. Traditionally, TCP scan traffic detection uses either flag values in the TCP packet header or statistical properties of the connection parameter like number of failed connection attempts. In this paper, we present a novel behaviour analysis of TCP traffic, where by using the flow characteristics, we identify anomalies and scan activities in a network or host. The proposed method provides a generic solution to SYN scan (half open), connect scan, FIN scan, Xmas scan and null scan. Results obtained from our method prove the detection capabilities and accuracy.
Keywords :
Internet; telecommunication security; telecommunication traffic; transport protocols; FIN scan; Internet; SYN scan; TCP flow data; TCP packet header; Xmas scan; behaviour analysis; connect scan; null scan; scan traffic detection; telecommunication security; traffic anomaly; transport protocols; Cities and towns; Computer networks; Data flow computing; Data security; Internet; Level measurement; TCPIP; Telecommunication traffic; Transport protocols; Viruses (medical);
Conference_Titel :
Networks, 2008. ICON 2008. 16th IEEE International Conference on
Conference_Location :
New Delhi
Print_ISBN :
978-1-4244-3805-1
DOI :
10.1109/ICON.2008.4772645
