Evaluating Internet Background Radiation Detector Rules

Vaterlaus, Mathias (2011) Evaluating Internet Background Radiation Detector Rules. Diploma thesis, HSR Hochschule für Technik Rapperswil.

[img]
Preview
Text
Eval IBR Detector Rules Technical Report.pdf - Supplemental Material

Download (3MB) | Preview

Abstract

Introduction: When inspecting the traffic occurring in the Internet, we notice that a significant amount of it is caused by scanning, (D) DoS attacks, and other malicious causes. Because of the ubiquitous nature and its variable forms of appearance, this traffic is called Internet Background Radiation (IBR). To understand the causes of IBR, a Detector Software was developed for classifying the One-Way Flows occuring in the analyzed traffic. To match the analyzed One-Way Flows into defined classes, the IBR Detector is based on a rule-set. Approach: A first goal is to evaluate, if the rules match most of the one-way flows correctly. The second goal is to explain the causes of a peak in the analyzed periods. In a first step, all flow belonging to a specific class are sorted out. The second step is the execution of the Frequent Item-set Mining (FIM) analysis applied to the flow and sign files. For statistical purposes, a sign statistic is created in a third step. Result: The results of the FIM analysis has proven, that the inspected flow item-sets are correctly classified. The second goal was not reached, because the FIM analysis did not reveal the causes of the peaks in all periods.A significant peak is detected in the item-sets of the class Other Malicious. It is caused by clients trying to contact the server swisstime.ethz.ch on port 37, but the server only serves NTP and not the old Time Protocol.The sign statistics over a whole interval allows the calculation of the rule effectiveness of class Backscatter, which shows that the rule containing the "backsc" sign is not very effective and matches less than 0,1 % of flows to this class. On the other hand, the rule containing only the ICMP sign assigns the most flows to the class Backscatter.

Item Type: Thesis (Diploma)
Subjects: Topics > Internet Technologies and Applications
Topics > Security
Area of Application > Statistics
Technologies > Protocols > NetFlow
Technologies > Protocols > TCP/IP
Divisions: Bachelor of Science FHO in Informatik > Diploma Thesis
Creators:
CreatorsEmail
Vaterlaus, MathiasUNSPECIFIED
Contributors:
ContributionNameEmail
Thesis advisorGlatz, EduardUNSPECIFIED
Funders: ETH Zürich
Depositing User: HSR Deposit User
Date Deposited: 24 Jul 2012 07:57
Last Modified: 05 Sep 2013 06:46
URI: http://eprints.hsr.ch/id/eprint/166

Actions (login required)

View Item View Item