Title :
Anomalies in network traffic
Author :
Ratner, Alan S. ; Kelly, Patrick
Author_Institution :
Inf. Syst., Cyber Solutions Division, Northrop Grumman, Annapolis Junction, MD, USA
Abstract :
We report the results of a search for anomalies in network traffic. Our data set consisted of two billion packets collected over four days at the gateways of our large corporate network. Analysis of the distributions of the packet metadata fields (IP addresses, ports, time-to-live and packet length) revealed anomalous activity including IP scans, port scans and hybrid scans as well as coordinated and synchronous activity. Analysis of such large amounts of data can be onerous; the use of Apache Hadoop to implement reliable, scalable, distributed computing enabled us to perform our computations rapidly on a small cluster of servers.
Keywords :
IP networks; distributed processing; internetworking; intranets; public domain software; telecommunication traffic; Apache Hadoop; IP addresses; IP scans; anomalous activity; anomaly search; coordinated activity; corporate network; distributed computing; gateways; hybrid scans; network traffic; packet length; packet metadata field distribution analysis; port scans; reliable Apache; scalable computing; server cluster; synchronous activity; time-to-live; Entropy; IP networks; Internet; Logic gates; Ports (Computers); Telecommunication traffic; Hadoop; IP networks; anomalous behavior; network defense;
Conference_Titel :
Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on
Conference_Location :
Seattle, WA
Print_ISBN :
978-1-4673-6214-6
DOI :
10.1109/ISI.2013.6578820
