A Baseline Numeric Analysis of Network Telescope Data for Network Incident Discovery
- Cowie, Bradley, Irwin, Barry V W
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427971 , vital:72477 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: This paper investigates the value of Network Telescope data as a mechanism for network incident discovery by considering data summa-rization, simple heuristic identification and deviations from previously observed traffic distributions. It is important to note that the traffic ob-served is obtained from a Network Telescope and thus does not expe-rience the same fluctuations or vagaries experienced by normal traffic. The datasets used for this analysis were obtained from a Network Tele-scope for the time period August 2005 to September 2009 which had been allocated a Class-C network address block at Rhodes University. The nature of the datasets were considered in terms of simple statistical measures obtained through data summarization which greatly reduced the processing and observation required to determine whether an inci-dent had occurred. However, this raised issues relating to the time in-terval used for identification of an incident. A brief discussion into statis-tical summaries of Network Telescope data as" good" security metrics is provided. The summaries derived were then used to seek for signs of anomalous network activity. Anomalous activity detected was then rec-onciled by considering incidents that had occurred in the same or simi-lar time interval. Incidents identified included Conficker, Win32. RinBot, DDoS and Norton Netware vulnerabilities. Detection techniques includ-ed identification of rapid growth in packet count, packet size deviations, changes in the composition of the traffic expressed as a ratio of its constituents and changes in the modality of the data. Discussion into the appropriateness of this sort of manual analysis is provided and suggestions towards an automated solution are discussed.
- Full Text:
- Date Issued: 2011
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/427971 , vital:72477 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: This paper investigates the value of Network Telescope data as a mechanism for network incident discovery by considering data summa-rization, simple heuristic identification and deviations from previously observed traffic distributions. It is important to note that the traffic ob-served is obtained from a Network Telescope and thus does not expe-rience the same fluctuations or vagaries experienced by normal traffic. The datasets used for this analysis were obtained from a Network Tele-scope for the time period August 2005 to September 2009 which had been allocated a Class-C network address block at Rhodes University. The nature of the datasets were considered in terms of simple statistical measures obtained through data summarization which greatly reduced the processing and observation required to determine whether an inci-dent had occurred. However, this raised issues relating to the time in-terval used for identification of an incident. A brief discussion into statis-tical summaries of Network Telescope data as" good" security metrics is provided. The summaries derived were then used to seek for signs of anomalous network activity. Anomalous activity detected was then rec-onciled by considering incidents that had occurred in the same or simi-lar time interval. Incidents identified included Conficker, Win32. RinBot, DDoS and Norton Netware vulnerabilities. Detection techniques includ-ed identification of rapid growth in packet count, packet size deviations, changes in the composition of the traffic expressed as a ratio of its constituents and changes in the modality of the data. Discussion into the appropriateness of this sort of manual analysis is provided and suggestions towards an automated solution are discussed.
- Full Text:
- Date Issued: 2011
An Evaluation of Trading Bands as Indicators for Network Telescope Datasets
- Cowie, Bradley, Irwin, Barry V W
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428013 , vital:72480 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: Large scale viral outbreaks such as Conficker, the Code Red worm and the Witty worm illustrate the importance of monitoring malevolent activity on the Internet. Careful monitoring of anomalous traffic allows organiza-tions to react appropriately and in a timely fashion to minimize economic damage. Network telescopes, a type of Internet monitor, provide ana-lysts with a way of decoupling anomalous traffic from legitimate traffic. Data from network telescopes is used by analysts to identify potential incidents by comparing recent trends with historical data. Analysis of network telescope datasets is complicated by the large quantity of data present, the number of subdivisions within the data and the uncertainty associated with received traffic. While there is considerable research being performed in the field of network telescopes little of this work is concerned with the analysis of alternative methods of incident identifi-cation. This paper considers trading bands, a subfield of technical analysis, as an approach to identifying potential Internet incidents such as worms. Trading bands construct boundaries that are used for meas-uring when certain quantities are high or low relative to recent values. This paper considers Bollinger Bands and associated Bollinger Indica-tors, Price Channels and Keltner Channels. These techniques are evaluated as indicators of malevolent activity by considering how these techniques react to incidents indentified in the captured data from a network telescope.
- Full Text:
- Date Issued: 2011
- Authors: Cowie, Bradley , Irwin, Barry V W
- Date: 2011
- Language: English
- Type: text , article
- Identifier: http://hdl.handle.net/10962/428013 , vital:72480 , https://www.researchgate.net/profile/Barry-Ir-win/publication/326225071_An_Evaluation_of_Trading_Bands_as_Indicators_for_Network_Telescope_Datasets/links/5b3f231a4585150d2309e1c0/An-Evaluation-of-Trading-Bands-as-Indicators-for-Network-Telescope-Datasets.pdf
- Description: Large scale viral outbreaks such as Conficker, the Code Red worm and the Witty worm illustrate the importance of monitoring malevolent activity on the Internet. Careful monitoring of anomalous traffic allows organiza-tions to react appropriately and in a timely fashion to minimize economic damage. Network telescopes, a type of Internet monitor, provide ana-lysts with a way of decoupling anomalous traffic from legitimate traffic. Data from network telescopes is used by analysts to identify potential incidents by comparing recent trends with historical data. Analysis of network telescope datasets is complicated by the large quantity of data present, the number of subdivisions within the data and the uncertainty associated with received traffic. While there is considerable research being performed in the field of network telescopes little of this work is concerned with the analysis of alternative methods of incident identifi-cation. This paper considers trading bands, a subfield of technical analysis, as an approach to identifying potential Internet incidents such as worms. Trading bands construct boundaries that are used for meas-uring when certain quantities are high or low relative to recent values. This paper considers Bollinger Bands and associated Bollinger Indica-tors, Price Channels and Keltner Channels. These techniques are evaluated as indicators of malevolent activity by considering how these techniques react to incidents indentified in the captured data from a network telescope.
- Full Text:
- Date Issued: 2011
- «
- ‹
- 1
- ›
- »