Software Engineering Institute | Carnegie Mellon University
Software Engineering Institute | Carnegie Mellon University
Menu
Home Digital Library Identifying Anomalous Port-Specific Network Behavior

Digital Library

Javascript is currently disabled for your browser. For an optimal search experience, please enable javascript.

Advanced Search

Basic Search

Content Type

Topics

Publication Date

Technical Report

Identifying Anomalous Port-Specific Network Behavior

  • May 2010
  • By Rhiannon Weaver
  • In this report, Rhiannon Weaver describes a method for identifying network behavior that may be a sign of coming internet-wide attacks.
  • Network Situational Awareness
  • Publisher: Software Engineering Institute
    CMU/SEI Report Number: CMU/SEI-2010-TR-010

  • Abstract

    Increasing trends in traffic volume on specific ports may indicate new interest in a vulnerability associated with that port. This activity can be a precursor to internet-wide attacks. Port-specific behavior can also arise from stealthy applications that migrate to different ports in order to evade firewalls. But detecting this subtle activity among thousands of monitored ports requires careful statistical modeling as well as methods for controlling false positives. The analysis documented in this report is a large-scale application of statistical outlier detection for determining unusual port-specific network behavior. The method uses a robust correlation measure to cluster related ports and to control for the background baseline traffic trend. A scaled, median-corrected process, called a Z-score, is calculated for the hourly volume measurements for each port. The Z-score measures how unusual each port's behavior is in comparison with the rest of the ports in its cluster. The researchers discuss lessons learned from applying the method to the hourly count of incoming flow records for a carrier-class network over a period of three weeks.

  • Download

Cite This Report

SEI

Weaver, Rhiannon. Identifying Anomalous Port-Specific Network Behavior. CMU/SEI-2010-TR-010 . Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459

IEEE

Weaver. Rhiannon, "Identifying Anomalous Port-Specific Network Behavior," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2010-TR-010 , 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459

APA

Weaver, Rhiannon. (2010). Identifying Anomalous Port-Specific Network Behavior (CMU/SEI-2010-TR-010 ). Retrieved October 23, 2018, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459

CHI

Rhiannon Weaver. Identifying Anomalous Port-Specific Network Behavior (CMU/SEI-2010-TR-010 ). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459

MLA

Weaver, Rhiannon. 2010. Identifying Anomalous Port-Specific Network Behavior (Technical Report CMU/SEI-2010-TR-010 ). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459

BibTex

@techreport{WeaverIdentifyingAnomalous2010,
title={Identifying Anomalous Port-Specific Network Behavior},
author={Rhiannon Weaver},
year={2010},
number={CMU/SEI-2010-TR-010 },
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459} }