A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
A behavioral approach to worm detection
Proceedings of the 2004 ACM workshop on Rapid malcode
LISA '00 Proceedings of the 14th USENIX conference on System administration
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 2005 ACM workshop on Rapid malcode
Host Behaviour Based Early Detection of Worm Outbreaks in Internet Backbones
WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Entropy Based Worm and Anomaly Detection in Fast IP Networks
WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Traffic classification using clustering algorithms
Proceedings of the 2006 SIGCOMM workshop on Mining network data
Fast Traffic Classification in High Speed Networks
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
Empirical Analysis of Application-Level Traffic Classification Using Supervised Machine Learning
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
FLAME: a flow-level anomaly modeling engine
CSET'08 Proceedings of the conference on Cyber security experimentation and test
Flow-level traffic analysis of the blaster and sobig worm outbreaks in an internet backbone
DIMVA'05 Proceedings of the Second international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Statistical model applied to netflow for network intrusion detection
Transactions on computational science XI
| Hi-index | 0.00 |
In this paper we propose a methodology for detecting abnormal traffic on the net, such as worm attacks, based on the observation of the behaviours of different elements at the network edges. In order to achieve this, we suggest a set of critical features and we judge normal site status based on these standards. For our goal this characterization must be free of virus traffic. Once this has been set, we would be able to find abnormal situations when the observed behaviour, set against the same features, is significantly different from the previous model. We have based our work on NetFlow information generated by the main routers in the University of Zaragoza network, with more than 12,000 hosts. The proposed model helps to characterize the whole corporate network, sub-nets and the individual hosts. This methodology has proved its effectiveness in real infections caused by viruses such as SpyBot, Agobot, etc in accordance with our experimental tests. This system would allow to detect new kind of worms, independently from the vulnerabilities or methods used for their propagation.