A statistical approach to TCP session classification

Government computer networks need a real-time network traffic monitoring tool to detect anomalies in network traffic patterns to improve security. Specifically, they need a tool to determine if a host is using a network connection for something other than the intended use. A key step in developing t...

Full description

Saved in:
Bibliographic Details
Main Authors: Moscalu, T., Steel, A.M., Brown, E., Lim, Y.L.
Format: Conference Proceeding
Language:English
Subjects:
Computer networks
Computer security
Design engineering
Intrusion detection
Machine learning algorithms
Network servers
Systems engineering and theory
Telecommunication traffic
Traffic control
USA Councils
Online Access:Request full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Government computer networks need a real-time network traffic monitoring tool to detect anomalies in network traffic patterns to improve security. Specifically, they need a tool to determine if a host is using a network connection for something other than the intended use. A key step in developing this tool is creating statistical models to accurately identify the application protocols of sessions in a network without relying on port numbers, which conventionally identify them. This paper outlines the construction of these models. Specifically, it focuses on the methods used to build them, which included: structuring network data in a database, aggregating packet level data into sessions, and then identifying the key variables. The models employ variables such as the inter-arrival time between packets, the variance of those times, the distribution of TCP control flags and other information available from the packet headers. The paper examines the significance of these explanatory variables and attempts to determine which would be useful in a real-time implementation.
DOI:10.1109/SIEDS.2008.4559677