Review: A survey of network flow applications
Journal of Network and Computer Applications
| Hi-index | 0.00 |
Flow-based attacker detection is a common way to detect malicious hosts at a router on a high-traffic network with fewer computing resources. The most challenging aspect is to detect attackers that traverse well-known ports such as TCP ports 21, 25, 80, 443, etc. Although various methods have been studied, they cannot accurately detect such attackers. We propose a new flow-based attacker detection method that achieves a high detection rate using traffic flow statistics obtained by Net Flow, sFlow, etc. The proposed method focuses on the characteristics of attackers who send flows to both the object port and generally closed port in the global network. Our method accurately identifies hosts sending flows to object port as attackers, without any deep packet inspection. We evaluated our method using actually collected Net Flow data. The results show that it detects 90.0% of attackers, with few misidentifications of legitimate hosts.