Referenced Items are not available for this document.
Worms use different methods to propagate in networks. One of these methods is by means of broadcasting packets. Broadcasted packets occupy high percentage of network bandwidth, and abnormal broadcast traffic analysis could be a useful method for detecting network problems and infected hosts. In this paper a new method for detecting ARP abnormal traffic in a broadcast domain is introduced. A combination of four different ARP traffic criteria are used to determine network anomaly. Four parameters: Rate, Burstiness, Dark space and Sequential scan were considered. Our method focuses on rate anomaly caused by worms, scans and poorly-configured services. We applied our method to a real network to evaluate system accuracy and noticed that during one month, 92.9 percent of alarms were true positive alarms. This technique not only traces ARP anomaly the same way as scanning worms, but also it detects any host that disturbs the traffic rate in different LAN.
Published in:
Systems and Networks Communications, 2006. ICSNC '06. International Conference on
Date of Conference: Oct. 2006
- Page(s):
- 53
- Print ISBN:
- 0-7695-2699-3
- Conference Location :
- Tahiti
- Digital Object Identifier :
- 10.1109/ICSNC.2006.5
- Product Type:
- Conference Publications
About IEEE Xplore | Contact | Help | Terms of Use | Nondiscrimination Policy | Site Map | Privacy & Opting Out of Cookies
A not-for-profit organization, IEEE is the world's largest professional association for the advancement of technology.
© Copyright 2013 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.
