Passive remote source NAT detection using behavior statistics derived from netflow
AIMS'13 Proceedings of the 7th IFIP WG 6.6 international conference on Autonomous Infrastructure, Management, and Security: emerging management mechanisms for the future internet - Volume 7943
Hi-index | 0.00 |
Unauthorized network address translation (NAT) devices may be a significant security problem. They provide unrestricted access to any number of hosts connecting to them. Some attackers may use computers hidden behind NAT devices to conduct malicious activities such as denial of service. An algorithm is proposed in this work to detect hosts hidden behind NAT.Different from previous researches, the algorithm does not depend on any special field in any packet header. It is based on analyzing traffic features with directed acyclic graph support vector machine (DAGSVM). Firstly, traffic models of hosts are selected from training samples with DAGSVM. Then the models and classifier are used for predicting host number of unknown traces. What revealed by the experiment includes that the proposed algorithm is effective, even when there are more hosts in the test set than it is in the training set, and the accuracy will fall when there are more unknown hosts in the test traces.