The motivation for this work came from a need to reduce the likelihood that an attacker may hijack the campus machines to stage an attack on a third party. A campus may want to prevent or limit misuse of its machines in staging attacks, and possibly limit the liability from such attacks. In particular, we study the utility of observing packet header data of outgoing traffic, such as destination addresses, port numbers and the number of flows, in order to detect attacks/anomalies originating from the campus at the edge of a campus.
Our approach passively monitors network traffic at regular intervals and analyzes it to find any abnormalities in the aggregated traffic. By observing the traffic and correlating it to previous states of traffic, it may be possible to see whether the current traffic is behaving in a similar (i.e., correlated) manner. The network traffic could look different because of flash crowds, changing access patterns, infrastructure problems such as router failures, and DoS attacks. In the case of bandwidth attacks, the usage of network may be increased and abnormalities may show up in traffic volume. Flash crowds could be observed through sudden increase in traffic volume to a single destination. Sudden increase of traffic on a certain port could signify the onset of an anomaly such as worm propagation. Our approach relies on analyzing packet header data in order to provide indications of possible abnormalities in the traffic.
Statistical Techniques for Detecting Traffic Anomalies Through Packet Header Data Project Report