Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

White Paper

Identifying Anomalous Network Traffic Through the Use of Client Port Distribution

  • October 2006
  • By Josh Goldfarb (US-CERT)
  • In this paper, Josh Goldfarb introduces an approach to IP flow analysis that examines server ports and client ports that exchange flows with them.
  • Network Situational Awareness
  • Publisher: Software Engineering Institute
  • Abstract

    This particular approach to IP flow analysis examines server ports (0 to 1023) and the client ports that exchange flows with those server ports. This analysis operates under the assumption that for each server port, the number of flows from each port chosen by client machines should be relatively uniform. In other words, similar numbers of flows from each of the chosen client ports to a given server port are expected. If a large deviation from the norm is observed, that traffic is considered to be of interest and is flagged for further analysis. US-CERT has tested this analysis technique on a large, enterprise network with a large amount of network flow data. Details of this method of analysis are discussed in the next section of this paper.

  • Download

Part of a Collection

FloCon 2006 Collection