Evaluating Internet Background Radiation Detector Rules

Vaterlaus, Mathias (2011) Evaluating Internet Background Radiation Detector Rules. Diploma thesis, HSR Hochschule für Technik Rapperswil.

[thumbnail of Eval IBR Detector Rules Technical Report.pdf]
Preview
Text
Eval IBR Detector Rules Technical Report.pdf - Supplemental Material

Download (3MB) | Preview

Abstract

Introduction: When inspecting the traffic occurring in the Internet, we notice
that a significant amount of it is caused by scanning, (D) DoS attacks, and
other malicious causes. Because of the ubiquitous nature and its variable
forms of appearance, this traffic is called Internet Background Radiation (IBR).
To understand the causes of IBR, a Detector Software was developed for
classifying the One-Way Flows occuring in the analyzed traffic. To match the
analyzed One-Way Flows into defined classes, the IBR Detector is based on a
rule-set.
Approach: A first goal is to evaluate, if the rules match most of the one-way
flows correctly. The second goal is to explain the causes of a peak in the
analyzed periods. In a first step, all flow belonging to a specific class are
sorted out. The second step is the execution of the Frequent Item-set Mining
(FIM) analysis applied to the flow and sign files. For statistical purposes, a sign
statistic is created in a third step.
Result: The results of the FIM analysis has proven, that the inspected flow
item-sets are correctly classified. The second goal was not reached, because
the FIM analysis did not reveal the causes of the peaks in all periods.A
significant peak is detected in the item-sets of the class Other Malicious. It is
caused by clients trying to contact the server swisstime.ethz.ch on port 37, but
the server only serves NTP and not the old Time Protocol.The sign statistics
over a whole interval allows the calculation of the rule effectiveness of class
Backscatter, which shows that the rule containing the "backsc" sign is not very
effective and matches less than 0,1 % of flows to this class. On the other hand,
the rule containing only the ICMP sign assigns the most flows to the class
Backscatter.

Item Type: Thesis (Diploma)
Subjects: Topics > Internet Technologies and Applications
Topics > Security
Area of Application > Statistics
Technologies > Protocols > NetFlow
Technologies > Protocols > TCP/IP
Divisions: Bachelor of Science FHO in Informatik > Diploma Thesis
Depositing User: HSR Deposit User
Contributors:
Contribution
Name
Email
Thesis advisor
Glatz, Eduard
UNSPECIFIED
Date Deposited: 24 Jul 2012 07:57
Last Modified: 05 Sep 2013 06:46
URI: https://eprints.ost.ch/id/eprint/166

Actions (login required)

View Item
View Item