Detection of Attackers in Services Using Anomalous Host Behavior Based on Traffic Flow Statistics

Author

Sawaya, Yukiko ; Kubota, Ayumu ; Miyake, Yutaka

Author_Institution

KDDI R&D Labs., Inc., Fujimino, Japan

fYear

2011

fDate

18-21 July 2011

Firstpage

353

Lastpage

359

Abstract

Flow-based attacker detection is a common way to detect malicious hosts at a router on a high-traffic network with fewer computing resources. The most challenging aspect is to detect attackers that traverse well-known ports such as TCP ports 21, 25, 80, 443, etc. Although various methods have been studied, they cannot accurately detect such attackers. We propose a new flow-based attacker detection method that achieves a high detection rate using traffic flow statistics obtained by Net Flow, sFlow, etc. The proposed method focuses on the characteristics of attackers who send flows to both the object port and generally closed port in the global network. Our method accurately identifies hosts sending flows to object port as attackers, without any deep packet inspection. We evaluated our method using actually collected Net Flow data. The results show that it detects 90.0% of attackers, with few misidentifications of legitimate hosts.

Keywords

computer network security; statistical analysis; telecommunication traffic; NetFlow; TCP ports; anomalous host behavior; deep packet inspection; flow-based service attacker detection method; high-traffic network router; malicious host detection; sFlow; traffic flow statistics; Accuracy; Band pass filters; Computer crime; Feature extraction; IP networks; Postal services; Servers; DDoS attack; NetFlow; botnet; flow-based attacker detection; spam mail sending hosts;

fLanguage

English

Publisher

ieee

Conference_Titel

Applications and the Internet (SAINT), 2011 IEEE/IPSJ 11th International Symposium on

Conference_Location

Munich, Bavaria

Print_ISBN

978-1-4577-0531-1

Electronic_ISBN

978-0-7695-4423-6

Type

conf

DOI

10.1109/SAINT.2011.68

Filename

6004185