+44 (0)1509 263171
Please use this identifier to cite or link to this item:
|Title: ||Inferring malicious network events in commercial ISP networks using traffic summarisation|
|Authors: ||Sandford, Peter|
|Issue Date: ||2012|
|Publisher: ||© Peter Sandford|
|Abstract: ||With the recent increases in bandwidth available to home users, traffic rates for
commercial national networks have also been increasing rapidly. This presents
a problem for any network monitoring tool as the traffic rate they are expected
to monitor is rising on a monthly basis. Security within these networks is para-
mount as they are now an accepted home of trade and commerce. Core networks
have been demonstrably and repeatedly open to attack; these events have had
significant material costs to high profile targets.
Network monitoring is an important part of network security, providing in-
formation about potential security breaches and in understanding their impact.
Monitoring at high data rates is a significant problem; both in terms of processing
the information at line rates, and in terms of presenting the relevant information
to the appropriate persons or systems.
This thesis suggests that the use of summary statistics, gathered over a num-
ber of packets, is a sensible and effective way of coping with high data rates. A
methodology for discovering which metrics are appropriate for classifying signi-
ficant network events using statistical summaries is presented. It is shown that
the statistical measures found with this methodology can be used effectively as
a metric for defining periods of significant anomaly, and further classifying these
anomalies as legitimate or otherwise. In a laboratory environment, these metrics
were used to detect DoS traffic representing as little as 0.1% of the overall network
The metrics discovered were then analysed to demonstrate that they are ap-
propriate and rational metrics for the detection of network level anomalies. These
metrics were shown to have distinctive characteristics during DoS by the analysis
of live network observations taken during DoS events.
This work was implemented and operated within a live system, at multiple
sites within the core of a commercial ISP network. The statistical summaries
are generated at city based points of presence and gathered centrally to allow for
spacial and topological correlation of security events.
The architecture chosen was shown to be
exible in its application. The system
was used to detect the level of VoIP traffic present on the network through the
implementation of packet size distribution analysis in a multi-gigabit environment.
It was also used to detect unsolicited SMTP generators injecting messages into
Monitoring in a commercial network environment is subject to data protec-
tion legislation. Accordingly the system presented processed only network and
transport layer headers, all other data being discarded at the capture interface.
The system described in this thesis was operational for a period of 6 months,
during which a set of over 140 network anomalies, both malicious and benign were
observed over a range of localities. The system design, example anomalies and
metric analysis form the majority of this thesis.|
|Description: ||A Doctoral Thesis. Submitted in partial fulfillment of the requirements for the award of Doctor of Philosophy of Loughborough University.|
|Appears in Collections:||PhD Theses (Electronic, Electrical and Systems Engineering)|
Files associated with this item:
Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.