NETWORK TRAFFIC FLOW ANALYSIS - NM Lab at Korea Univ.

flows. In this work, much of the effort so far has beenconcentrated on identifying meaningful flow attributes.Preliminary assessment indicates the proof-of-concept toolis useful as is, and may lead, with further research, to anumber of applications.Mechanisms that allow us to infer the true nature ofinformation flows based on traffic behaviour can be used toincrease the level of confidence in the monitoring tools and inour networks. We believe that the flow features derived duringthis study will prove to be useful to other researchers in thefield.References[1] J. P. Early, C. E. Brodley, C. Rosenberg, “BehavioralAuthentication of Server Flows”, Proc. of the AnnualComputer Security Applications Conference (ACSAC2003), Las Vagas, NV, USA, December 2003.[2] M. Roughan, S. Sen, O. Spatscheck, N. G. Duffield,“Class-of-service mapping for QoS: a statistical signaturebasedapproach to IP traffic classification”, Proc of theConference on internet Measurement (IMC 04), pp. 135-148, Taormina, Sicily, Italy, October 2004.[3] T. Karagiannis, K. Papagiannaki and M. Faloutsos,“BLINC: Multilevel Traffic Classification in the Dark”,Proc. of ACM SIGCOMM, pp. 229-240, Philadelphia, PA,USA, August 2005.[4] K. Xu, Z. Zhang, and S. Bhattacharya. “Profiling InternetBackbone Traffic: Behavior Models and Applications”,Proc. of ACM SIGCOMM, pp. 169-180, Philadelphia, PA,USA, August 2005.[5] A. W. Moore and D. Zuev. “Internet Traffic ClassificationUsing Bayesian Analysis Techniques”, Proc. of ACMSIGMETRICS, pp. 50-60, Banff, Alberta, Canada, June,2005.[6] W. Lee, S.J. Stolfo, “A Framework for ConstructingFeatures and Models for Intrusion Detection Systems”,ACM Transactions on Information and System Security,Vol. 3 No. 4, November, 2000.[7] S. Abdulrahman “Network Intrusion Detection UsingFlow Characterization,” project description,http://www.cs.utk.edu/~abdulrah/project/paper.html[8] T. Dunigan, G. Ostrouchov, “Flow Characterization forIntrusion Detection”, Oak Ridge National Laboratoryreport, ORNL/TM-2001/115, November 2000, available athttp://www.csm.ornl.gov/~dunigan/pubs.html[9] Y. Zhang and V. Paxson, “Detecting Backdoors”, Proc. ofUSENIX Security Symposium, Denver, CO, USA, August2000.[10] F. Hernández-Campos, A. B. Nobel, F. Donelson Smith,K. Jeffay, “Understanding Patterns of TCP ConnectionUsage with Statistical Clustering”, Proc. of theSymposium on Modeling, Analysis, and Simulation ofComputer and Telecommunication Systems (MASCOTS),pp. 35-44, Atlanta, GA, USA, September 2005.[11] DARPA Intrusion Detection Evaluation, LincolnLaboratory, http://www.ll.mit.edu/IST/ideval/[12] Annie De Montigny-Leboeuf, “Flow Attributes For UseIn Traffic Characterization,” CRC Technical Note CRC-TN-2005-003, December 2005[13] C. Daicos, G.S. Knight, “Concerning Enterprise NetworkVulnerability To Http Tunnelling”, Proc. of IFIP TC1118th International Conference on Information Security(IFIP SEC 2003), Athens, Greece, May 2003.[14]Httptunnel, a HTTP tunnel tool, available athttp://www.nocrew.org/software/httptunnel.html[15] Httport, a HTTP tunnel tool, available athttp://www.htthost.com/642