Title :
Detection of Attackers in Services Using Anomalous Host Behavior Based on Traffic Flow Statistics
Author :
Sawaya, Yukiko ; Kubota, Ayumu ; Miyake, Yutaka
Author_Institution :
KDDI R&D Labs., Inc., Fujimino, Japan
Abstract :
Flow-based attacker detection is a common way to detect malicious hosts at a router on a high-traffic network with fewer computing resources. The most challenging aspect is to detect attackers that traverse well-known ports such as TCP ports 21, 25, 80, 443, etc. Although various methods have been studied, they cannot accurately detect such attackers. We propose a new flow-based attacker detection method that achieves a high detection rate using traffic flow statistics obtained by Net Flow, sFlow, etc. The proposed method focuses on the characteristics of attackers who send flows to both the object port and generally closed port in the global network. Our method accurately identifies hosts sending flows to object port as attackers, without any deep packet inspection. We evaluated our method using actually collected Net Flow data. The results show that it detects 90.0% of attackers, with few misidentifications of legitimate hosts.
Keywords :
computer network security; statistical analysis; telecommunication traffic; NetFlow; TCP ports; anomalous host behavior; deep packet inspection; flow-based service attacker detection method; high-traffic network router; malicious host detection; sFlow; traffic flow statistics; Accuracy; Band pass filters; Computer crime; Feature extraction; IP networks; Postal services; Servers; DDoS attack; NetFlow; botnet; flow-based attacker detection; spam mail sending hosts;
Conference_Titel :
Applications and the Internet (SAINT), 2011 IEEE/IPSJ 11th International Symposium on
Conference_Location :
Munich, Bavaria
Print_ISBN :
978-1-4577-0531-1
Electronic_ISBN :
978-0-7695-4423-6
DOI :
10.1109/SAINT.2011.68
