Abstract
Network traffic monitoring is primordial for network operations and management including Quality-of-Service or security. One major difficulty when dealing with network traffic data (packets, flows, etc) is the poor semantic of individual attributes (number of bytes, packets, IP addresses, protocol, TCP/UDP port numbers, etc). Many of them can be represented as numerical values but cannot be mapped to a meaningful metric space. Most notably are application port numbers. They are numerical but comparing them as integers is meaningless. In this paper, we propose a fine grained attacker behavior-based similarity metric allowing traffic analysis to take into account semantic relations between port numbers. The behavior of attackers is derived from passive observation of a darknet or telescope, aggregated in a graph model, from which a dissimilarity function is defined. We demonstrate the veracity of this function with real world network data in order to pro-actively block 99% of TCP scans.
| Original language | English |
|---|---|
| Title of host publication | 2019 IFIP/IEEE Symposium on Integrated Network and Service Management, IM 2019 |
| Publisher | IEEE |
| Pages | 89-97 |
| Number of pages | 9 |
| ISBN (Electronic) | 9783903176157 |
| Publication status | Published - 16 May 2019 |
| Event | IFIP/IEEE International Symposium on Integrated Network Management - Duration: 8 Apr 2019 → 12 Apr 2019 |
Conference
| Conference | IFIP/IEEE International Symposium on Integrated Network Management |
|---|---|
| Abbreviated title | IM |
| Period | 8/04/19 → 12/04/19 |