Marina Bykova, Shawn Ostermann, Brett Tjaden

CERIAS TR 2001-75

inproceedings

With the growing threat of abuse of network resources, it becomes increasingly important to be able to detect malformed packets on a network and estimate the damage they can cause. Carefully constructed, certain types of packets can cause a victim host to crash while other packets may be sent only to gather necessary information about hosts and networks can be viewed as a prelude to attack. In this paper, we collect and analyze all of the IP and TCP packets seen on a network that either violate existing standards or should not appear in modern internets. Our goal is to determine what these suspicious packets mean and evaluate what proportion of such packets can cause actual damage. Thus, we divide unusual packets obtained during our experiments into several categories depending on the severity of their consequences, including indirect consequences as a result of information gathering, and show the result. The traces analyzed were gathered at Ohio University's main Internet link, providing a massive amount of statistical data.

PDF

2001 – 03

Bykova

IEEE Southeastern Symposium on System Theory (SSST 2001)

The authors are indebted to Ethan Blanton for reviewing document and many useful suggestion and corrections. The authors also acknowledge the Ohio University Communication Network Services staff, in particular Theresa Kelleher and Todd Acheson, for providing us with the data and necessary information that made our research possible.

Ohio University

2001-03-01

1. Introduction 2. Description of the experiment 3. Results 4. Conclusions and Recommendations 5. Future Work

Intrusion Detection System, suspicious activity, IP, TCP, packet analysis, packet header analysis, network monitoring

English

Detecting Network Intrusions via a Statistical Analysis of Network Packet Characteristics