By Topic

Analysis of TCP flow data for traffic anomaly and scan detection

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

1 Author(s)
N. Muraleedharan ; Centre for Dev. of Adv. Comput., Bangalore, India

Scanning tools are commonly used by intruders for identifying vulnerable hosts and applications in a network. So from security perspective, to identify the attack in its initial stage and to minimize the impact of attack, it is important to detect scanning activities in a network. We have mainly considered TCP flow because most of the Internet application uses it as a transport protocol. Traditionally, TCP scan traffic detection uses either flag values in the TCP packet header or statistical properties of the connection parameter like number of failed connection attempts. In this paper, we present a novel behaviour analysis of TCP traffic, where by using the flow characteristics, we identify anomalies and scan activities in a network or host. The proposed method provides a generic solution to SYN scan (half open), connect scan, FIN scan, Xmas scan and null scan. Results obtained from our method prove the detection capabilities and accuracy.

Published in:

2008 16th IEEE International Conference on Networks

Date of Conference:

12-14 Dec. 2008