eprintid: 181 rev_number: 4 eprint_status: archive userid: 6 dir: disk0/00/00/01/81 datestamp: 2008-10-13 lastmod: 2015-05-29 19:48:51 status_changed: 2009-04-08 16:55:27 type: report metadata_visibility: show item_issues_count: 0 creators_name: Pyke, Randall contributors_name: Long, Hongwei contributors_name: Shi, Weiguang contributors_name: Wu, Lang contributors_name: Kim, Surrey contributors_name: Peker, Stanislava contributors_name: Chan, Benjamin contributors_name: Haiduc, Radu contributors_name: Maxim, Andrei contributors_name: Abramov, Vilen contributors_name: Zeng, Bo contributors_name: Wang, Pengpeng contributors_name: Liao, Robert contributors_name: Petrachenko, Yury contributors_name: Romaniuk, Yulia contributors_name: Wang, Mengzhe contributors_name: Wang, Zhian contributors_name: Yassaei, Mohammad Ali contributors_name: Mititica, Gabriel contributors_name: Song, Shijun contributors_name: Zhang, Xuekui contributors_name: Li, Song contributors_name: Vassilev, Tzvetalin contributors_name: Azer, Nancy contributors_name: Salmani, Mahim contributors_name: Zhu, Jiaping title: Analyzing Network Traffic for Malicious Hacker Activity ispublished: pub subjects: telecom studygroups: ipsw8 companyname: Random Knowledge full_text_status: public suggestions: I can't get the maths to work in the problem statement.. not sure why. abstract: Since the Internet came into life in the 1970s, it has been growing more than 100% every year. On the other hand, the solutions to detecting network intrusion are far outpaced. The economic impact of malicious attacks in lost revenue to a single e-commerce company can vary from 66 thousand up to 53 million US dollars. At the same time, there is no effective mathematical model widely available to distinguish anomaly network behaviours such as port scanning, system exploring, virus and worm propagation from normal traffic. PDS proposed by Random Knowledge Inc., detects and localizes traffic patterns consistent with attacks hidden within large amounts of legitimate traffic. With the network’s packet traffic stream being its input, PDS relies on high fidelity models for normal traffic from which it can critically judge the legitimacy of any substream of packet traffic. Because of the reliability on an accurate baseline model for normal network traffic, in this workshop, we concentrate on modelling normal network traffic with a Poisson process. problem_statement: Network security is still at its infancy. Existing intrusion detection and prevention solutions lack accuracy, broad attack coverage, speed, performance, and scalability. They do not provide reliable protection to today’s vital networks. Random Knowledge Inc.’s approach to intrusion detection is to apply Mathematically Optimal Detection that outperforms other methods, including pattern matching, neural networks and statistical techniques. This detection system, Portscan Detection System (PDS), detects and localizes traffic patterns consistent with possibly stealthy forms of attacks from within hoards of legitimate traffic. With the network’s packet traffic stream being its input, PDS relies on high fidelity models for normal traffic from which it can critically judge the legitimacy of any substream of packet traffic. In this modelling workshop, we try to characterize normal traffic which involves: 1. Defining all the different types of connection sessions. 2. Verification of a Poisson measure model for the incoming connection sessions, i.e. if the connection session types are labelled $1,\ldots, n$, determining if $N(A \times (0, t])$ is Poisson distributed for any subset $A$ of $1, \ldots ,n$, where $N$ is the Poisson measure. 3. Determining the rates for $N(A \times (0, t])$ or equivalently its mean measure if the session generation indeed conforms reasonably to the Poisson measure model, otherwise suggesting other suitable models. 4.Verification for self-similar processes and heavy tailed distributions within connection sessions (for example the transmission time), and the estimation of its parameters. Hitherto, there has been much study of traffic characterization that focuses on the implications for improved network performance. Random Knowledge’s approach is the study of traffic characterization for the implications of detecting malicious hacker activity. date: 2004 date_type: published pages: 11 citation: Pyke, Randall (2004) Analyzing Network Traffic for Malicious Hacker Activity. [Study Group Report] document_url: http://miis.maths.ox.ac.uk/miis/181/1/random_knowledge.pdf