Passive remote source NAT detection using behavior statistics derived from netflow

Authors:
Sebastian Abt;Christian Dietz;Harald Baier;Slobodan Petrović
Affiliations:
da/sec --- Biometrics and Internet Security Research Group, Hochschule Darmstadt, Darmstadt, Germany;da/sec --- Biometrics and Internet Security Research Group, Hochschule Darmstadt, Darmstadt, Germany;da/sec --- Biometrics and Internet Security Research Group, Hochschule Darmstadt, Darmstadt, Germany;Norwegian Information Security Laboratory, Gjøvik University College, Gjøvik, Norway
Venue:
AIMS'13 Proceedings of the 7th IFIP WG 6.6 international conference on Autonomous Infrastructure, Management, and Security: emerging management mechanisms for the future internet - Volume 7943
Year:
2013

Citing 12
Cited 0

A training algorithm for optimal margin classifiers

COLT '92 Proceedings of the fifth annual workshop on Computational learning theory
C4.5: programs for machine learning

C4.5: programs for machine learning
On the design and performance of prefix-preserving IP traffic trace anonymization

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
A technique for counting natted hosts

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Remote Physical Device Fingerprinting

IEEE Transactions on Dependable and Secure Computing
Netflow based system for NAT detection

Proceedings of the 5th international student workshop on Emerging networking experiments and technologies
Passive NATted Hosts Detect Algorithm Based on Directed Acyclic Graph Support Vector Machine

MINES '09 Proceedings of the 2009 International Conference on Multimedia Information Networking and Security - Volume 02
Fast-flux bot detection in real time

RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Security enhancement by detecting network address translation based on instant messaging

EUC'06 Proceedings of the 2006 international conference on Emerging Directions in Embedded and Ubiquitous Computing
Tetherway: a framework for tethering camouflage

Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks
Peek-a-Boo, I Still See You: Why Efficient Traffic Analysis Countermeasures Fail

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
A Framework for P2P Botnet Detection Using SVM

CYBERC '12 Proceedings of the 2012 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network Address Translation (NAT) is a technique commonly employed in today's computer networks. NAT allows multiple devices to hide behind a single IP address. From a network management and security point of view, NAT may not be desirable or permitted as it allows rogue and unattended network access. In order to detect rogue NAT devices, we propose a novel passive remote source NAT detection approach based on behavior statistics derived from NetFlow. Our approach utilizes 9 distinct features that can directly be derived from NetFlow records. Furthermore, our approach does not require IP address information, but is capable of operating on anonymous identifiers. Hence, our approach is very privacy friendly. Our approach requires only a 120 seconds sample of NetFlow records to detect NAT traffic within the sample with a lower-bound accuracy of 89.35%. Furthermore, our approach is capable of operating in real-time.