Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

Correlations Between Quiescent Ports in Network Flows (White Paper)

  • September 2005
  • By Josh McNutt, Markus Deshon
  • In this paper, the authors introduce a method for detecting the onset of anomalous port-specific activity by recognizing deviation from correlated activity.
  • Network Situational Awareness
  • Publisher: Software Engineering Institute
  • Abstract

    TCP/IP ports which are not in regular use (quiescent ports) can show surges in activity for several  reasons. Two examples include the discovery of a vulnerability in an unused (but still present) network service or a new backdoor which runs on an unassigned or obsolete port. Identifying this anomalous activity can be a challenge, however, due to the ever-present background of vertical scanning, which can show substantial peak activity. It is, however, possible to separate port-specific activity from this background by recognizing that the activity due to vertical scanning results in strong correlations between port-specific flow counts. We introduce a method for detecting onset of anomalous port-specific activity by recognizing deviation from correlated activity.

  • Download

Part of a Collection

FloCon 2005 Collection