Detecting Network Intrusions via a Statistical Analysis of Network Packet Characteristics
Author
Marina Bykova, Shawn Ostermann, Brett Tjaden
Tech report number
CERIAS TR 2001-75
Abstract
With the growing threat of abuse of network resources, it becomes increasingly important to be able to detect malformed packets on a network and estimate the damage they can cause. Carefully constructed, certain types of packets can cause a victim host to crash while other packets may be sent only to gather necessary information about hosts and networks can be viewed as a prelude to attack. In this paper, we collect and analyze all of the IP and TCP packets seen on a network that either violate existing standards or should not appear in modern internets. Our goal is to determine what these suspicious packets mean and evaluate what proportion of such packets can cause actual damage. Thus, we divide unusual packets obtained during our experiments into several categories depending on the severity of their consequences, including indirect consequences as a result of information gathering, and show the result. The traces analyzed were gathered at Ohio University's main Internet link, providing a massive amount of statistical data.
Series
IEEE Southeastern Symposium on System Theory (SSST 2001)
Acknowledgement
The authors are indebted to Ethan Blanton for reviewing document and many useful suggestion and corrections. The authors also acknowledge the Ohio University Communication Network Services staff, in particular Theresa Kelleher and Todd Acheson, for providing us with the data and necessary information that made our research possible.
Affiliation
Ohio University
Publication Date
2001-03-01
Contents
1. Introduction
2. Description of the experiment
3. Results
4. Conclusions and Recommendations
5. Future Work
Keywords
Intrusion Detection System, suspicious activity, IP, TCP, packet analysis, packet header analysis, network monitoring
Subject
Detecting Network Intrusions via a Statistical Analysis of Network Packet
Characteristics