Abstract | ||
---|---|---|
Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans. |
Year | Venue | Keywords |
---|---|---|
2019 | 2019 IFIP/IEEE Symposium on Integrated Network and Service Management (IM) | application port numbers,network traffic monitoring,network operations,network traffic data,IP addresses,metric space,real-world network data,security monitoring,fine grained attacker behavior-based similarity metric,traffic analysis,telescope,graph model,TCP scans,Darknet analysis,quality-of-service |
Field | DocType | ISSN |
Byte,Port (computer networking),Traffic analysis,User Datagram Protocol,Darknet,Computer science,Network packet,Computer network,Network operations center,Metric space | Conference | 1573-0077 |
ISBN | Citations | PageRank |
978-1-7281-0618-2 | 0 | 0.34 |
References | Authors | |
0 | 3 |
Name | Order | Citations | PageRank |
---|---|---|---|
Laurent Evrard | 1 | 0 | 0.68 |
Jérôme François | 2 | 170 | 21.81 |
Jean-Noel Colin | 3 | 45 | 12.32 |