Analyzing Network Traffic for Malicious Hacker Activity

Pyke, Randall (2004) Analyzing Network Traffic for Malicious Hacker Activity. Canadian Industrial Problem Solving Workshops > 8th IPSW [Vancouver 17/5/2004 - 21/5/2004].

Full text available as:

PDF - Requires Adobe Acrobat Reader or other PDF viewer.

Abstract/Summary

Since the Internet came into life in the 1970s, it has been growing more than 100% every year. On the other hand, the solutions to detecting network intrusion are far outpaced. The economic impact of malicious attacks in lost revenue to a single e-commerce company can vary from 66 thousand up to 53 million US dollars. At the same time, there is no effective mathematical model widely available to distinguish anomaly network behaviours such as port scanning, system exploring, virus and worm propagation from normal traffic.

PDS proposed by Random Knowledge Inc., detects and localizes traffic patterns consistent with attacks hidden within large amounts of legitimate traffic. With the network’s packet traffic stream being its input, PDS relies on high fidelity models for normal traffic from which it can critically judge the legitimacy of any substream of packet traffic. Because of the reliability on an accurate baseline model for normal network traffic, in this workshop, we concentrate on modelling normal network traffic with a Poisson process.

Item Type:	Study Group Report
Study Group:	Canadian Industrial Problem Solving Workshops > 8th IPSW [Vancouver 17/5/2004 - 21/5/2004]
Company Name:	Random Knowledge
Industrial Sector:	Information and communication technology
Additional Contributors:	Long, Hongwei and Shi, Weiguang and Wu, Lang and Kim, Surrey and Peker, Stanislava and Chan, Benjamin and Haiduc, Radu and Maxim, Andrei and Abramov, Vilen and Zeng, Bo and Wang, Pengpeng and Liao, Robert and Petrachenko, Yury and Romaniuk, Yulia and Wang, Mengzhe and Wang, Zhian and Yassaei, Mohammad Ali and Mititica, Gabriel and Song, Shijun and Zhang, Xuekui and Li, Song and Vassilev, Tzvetalin and Azer, Nancy and Salmani, Mahim and Zhu, Jiaping
ID Code:	181
Deposited By:	Michele Taroni
Deposited On:	13 October 2008

Problem Statement

Network security is still at its infancy. Existing intrusion detection and prevention solutions lack accuracy, broad attack coverage, speed, performance, and scalability. They do not provide reliable protection to today’s vital networks.

Random Knowledge Inc.’s approach to intrusion detection is to apply Mathematically Optimal Detection that outperforms other methods, including pattern matching, neural networks and statistical techniques. This detection system, Portscan Detection System (PDS), detects and localizes traffic patterns consistent with possibly stealthy forms of attacks from within hoards of legitimate traffic. With the network’s packet traffic stream being its input, PDS relies on high fidelity models for normal traffic from which it can critically judge the legitimacy of any substream of packet traffic.

In this modelling workshop, we try to characterize normal traffic which involves:

1. Defining all the different types of connection sessions.

2. Verification of a Poisson measure model for the incoming connection sessions, i.e. if the connection session types are labelled $1,\ldots, n$ , determining if $N(A \times (0, t])$ is Poisson distributed for any subset $A$ of $1, \ldots ,n$ , where $N$ is the Poisson measure.

3. Determining the rates for $N(A \times (0, t])$ or equivalently its mean measure if the session generation indeed conforms reasonably to the Poisson measure model, otherwise suggesting other suitable models.

4.Verification for self-similar processes and heavy tailed distributions within connection sessions (for example the transmission time), and the estimation of its parameters.

Hitherto, there has been much study of traffic characterization that focuses on the implications for improved network performance. Random Knowledge’s approach is the study of traffic characterization for the implications of detecting malicious hacker activity.

Archive Staff Only: edit this record