• DocumentCode
    3071302
  • Title

    Detection of Attackers in Services Using Anomalous Host Behavior Based on Traffic Flow Statistics

  • Author

    Sawaya, Yukiko ; Kubota, Ayumu ; Miyake, Yutaka

  • Author_Institution
    KDDI R&D Labs., Inc., Fujimino, Japan
  • fYear
    2011
  • fDate
    18-21 July 2011
  • Firstpage
    353
  • Lastpage
    359
  • Abstract
    Flow-based attacker detection is a common way to detect malicious hosts at a router on a high-traffic network with fewer computing resources. The most challenging aspect is to detect attackers that traverse well-known ports such as TCP ports 21, 25, 80, 443, etc. Although various methods have been studied, they cannot accurately detect such attackers. We propose a new flow-based attacker detection method that achieves a high detection rate using traffic flow statistics obtained by Net Flow, sFlow, etc. The proposed method focuses on the characteristics of attackers who send flows to both the object port and generally closed port in the global network. Our method accurately identifies hosts sending flows to object port as attackers, without any deep packet inspection. We evaluated our method using actually collected Net Flow data. The results show that it detects 90.0% of attackers, with few misidentifications of legitimate hosts.
  • Keywords
    computer network security; statistical analysis; telecommunication traffic; NetFlow; TCP ports; anomalous host behavior; deep packet inspection; flow-based service attacker detection method; high-traffic network router; malicious host detection; sFlow; traffic flow statistics; Accuracy; Band pass filters; Computer crime; Feature extraction; IP networks; Postal services; Servers; DDoS attack; NetFlow; botnet; flow-based attacker detection; spam mail sending hosts;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Applications and the Internet (SAINT), 2011 IEEE/IPSJ 11th International Symposium on
  • Conference_Location
    Munich, Bavaria
  • Print_ISBN
    978-1-4577-0531-1
  • Electronic_ISBN
    978-0-7695-4423-6
  • Type

    conf

  • DOI
    10.1109/SAINT.2011.68
  • Filename
    6004185