1 / 12

Towards Flow-based Abnormal Network Traffic Detection

Towards Flow-based Abnormal Network Traffic Detection. Hun-Jeong Kang, Seung-Hwa Chung, Seong-Cheol Hong, Myung-Sup Kim and James W. Hong DP&NM Lab. Dept. of Computer Science and Engineering Pohang University of Science and Technology

knox
Download Presentation

Towards Flow-based Abnormal Network Traffic Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Towards Flow-based Abnormal Network Traffic Detection Hun-Jeong Kang, Seung-Hwa Chung, Seong-Cheol Hong, Myung-Sup Kim and James W. Hong DP&NM Lab. Dept. of Computer Science and Engineering Pohang University of Science and Technology Email: {bluewind, mannam, pluto80, mount, jwkhong}@postech.ac.kr

  2. Introduction • Motivation : network security attack threats • increase of the number of Internet user & Network services highly dependent on Internet • high damage cost by network security attack • Attack Trend : increase of indirect attacks • indirectly interfere with proper working of system • danger factors • ease of attack, fast impact on target system • difficulty tracing back to attacker • effect on entire network performance • Flow-based Abnormal Network Traffic Detection • characterize network attack traffic patterns • propose detecting algorithms and a system prototype

  3. Related Work • Network Security Attacks • Scanning : preparation for attacks • send scanning packets to the victim & receive responses gather information on the host and services • DoS : cause improper services • logic attack • send packets exploiting software flaws  malfunction in the system • examples: Ping of Death, Land • flooding • transmit a lot of spurious packets to victim  waste of CPU, memory, network resource • examples: TCP SYN flood, reflecting DoS(Smurf, Fraggle, Ping-Pong) general ( ICMP, UDP, TCP) flooding • previous detecting approaches • monitor : • patterns that appears in a packet header or payload • volume of traffic the victim receives • number of new IP addresses that appear

  4. flow alarm Overall Process Detecting Process (1/5) • 2 detecting parts • flow header detection • validate fields of flow header • detect logic attacks or attacks with specific field value • traffic pattern detection • generate traffic pattern data • compare traffic parameter with attack patterns • detect scanning and flooding attacks flow header detection traffic pattern data generation traffic pattern detection Detecting Process

  5. Detection of Flow Header Detecting Process (2/5) Flow Header L : Large S: Small echo request destination IP= broadcast smurf ICMP flow size/packet count is too high ping-of-death packet count = L, flow size= L ICMP flooding source IP = destination IP source port=destination port land transportprotocol TCP packet count = L, flow size= L TCP flooding destination port= reflecting port ping-pong source port= reflecting port UDP fraggle destination IP=broadcast packet count = L, flow size= L UDP flooding

  6. Characterization of Traffic Pattern Detecting Process (3/5) L : Large S : Small

  7. flow messages Generation of Traffic Pattern Data Detecting Process (4/5) trafficpattern data (source based) hash(sourceIP) … hash(destination IP) … traffic pattern data (destination based) n(flow) n(S_IP) n(D_port) n(S_port) p(proto) n(SYN) n(ACK) sum(flow size)avg(flow size) dev(flow size) sum(n_packet) avg(n_packet) dev(n_packet)

  8. Detection of Traffic Pattern Detecting Process (5/5) • Detecting Function • match traffic pattern data with attack type L : Large S : Small destination based n(D_port) = L n(S_IP) = S hostscanning n(flow) = Lavg(flow size) = S avg(n_packet) = S TCP SYN flood n(D_port) = Sn(ACK)/n(SYN) = S sum(n_packet) = Lsum(flow size)= L (ICMP,UDP,TCP) flooding source based n(flow) = Lavg(flow size) = S avg(n_packet) = S n(D_IP) = L n(D_port) = S networkscanning sum(n_packet) = Lsum(flow size)= L (ICMP,UDP,TCP) flooding

  9. Analysis Result t3 t1 t2 t3 t1 t2 t3 t1 t2 (a) total bandwidth (b) number of flows (c) number of source address t3 t3 t3 t1 t2 t1 t2 t1 t2 (d) total packet count (e) detecting function for Scanning (f) detecting function for TCP SYN

  10. System Design Flow Generationof NG-MON Flow Store Packet Capturer Flow Generator Network Device flow messages TrafficDetection TrafficPatternDataGenerator TrafficPatternDetector FlowHeaderDetector detected traffic information Presenter Web Server Report Generator (email, SMS, log) WebUser Interface

  11. Conclusion and Future Work • Abnormal Network Traffic Detection Method • efficiency : use and process information on flows • simplicity : detecting function based on traffic pattern data that covers mutant attacks • accuracy : use of various traffic characteristics as detecting parameters • extensionality : generation of general traffic pattern data  easiness response new type of attacks by compounding traffic • Future Work • find algorithm that covers other types of attacks that do not cause changes of traffic • study schemes to cooperate with traffic monitoring systems existing IDSs • extend to Intrusion Protection System

More Related