Identifying Anomalous Port-Specific Network Behavior
May 2010 • Technical Report
In this report, Rhiannon Weaver describes a method for identifying network behavior that may be a sign of coming internet-wide attacks.
Software Engineering Institute
CMU/SEI Report Number
Increasing trends in traffic volume on specific ports may indicate new interest in a vulnerability associated with that port. This activity can be a precursor to internet-wide attacks. Port-specific behavior can also arise from stealthy applications that migrate to different ports in order to evade firewalls. But detecting this subtle activity among thousands of monitored ports requires careful statistical modeling as well as methods for controlling false positives. The analysis documented in this report is a large-scale application of statistical outlier detection for determining unusual port-specific network behavior. The method uses a robust correlation measure to cluster related ports and to control for the background baseline traffic trend. A scaled, median-corrected process, called a Z-score, is calculated for the hourly volume measurements for each port. The Z-score measures how unusual each port's behavior is in comparison with the rest of the ports in its cluster. The researchers discuss lessons learned from applying the method to the hourly count of incoming flow records for a carrier-class network over a period of three weeks.