Digital Library
Identifying Anomalous Port-Specific Network Behavior
- May 2010
- In this report, Rhiannon Weaver describes a method for identifying network behavior that may be a sign of coming internet-wide attacks.
- Network Situational Awareness
-
Publisher: Software Engineering Institute
CMU/SEI Report Number: CMU/SEI-2010-TR-010
-
Abstract
Increasing trends in traffic volume on specific ports may indicate new interest in a vulnerability associated with that port. This activity can be a precursor to internet-wide attacks. Port-specific behavior can also arise from stealthy applications that migrate to different ports in order to evade firewalls. But detecting this subtle activity among thousands of monitored ports requires careful statistical modeling as well as methods for controlling false positives. The analysis documented in this report is a large-scale application of statistical outlier detection for determining unusual port-specific network behavior. The method uses a robust correlation measure to cluster related ports and to control for the background baseline traffic trend. A scaled, median-corrected process, called a Z-score, is calculated for the hourly volume measurements for each port. The Z-score measures how unusual each port's behavior is in comparison with the rest of the ports in its cluster. The researchers discuss lessons learned from applying the method to the hourly count of incoming flow records for a carrier-class network over a period of three weeks.
- Download
Cite This Report
SEI
Weaver, Rhiannon. Identifying Anomalous Port-Specific Network Behavior. CMU/SEI-2010-TR-010 . Software Engineering Institute, Carnegie Mellon University. 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459
IEEE
Weaver. Rhiannon, "Identifying Anomalous Port-Specific Network Behavior," Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania, Technical Report CMU/SEI-2010-TR-010 , 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459
APA
Weaver, Rhiannon. (2010). Identifying Anomalous Port-Specific Network Behavior (CMU/SEI-2010-TR-010 ). Retrieved June 19, 2018, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459
CHI
Rhiannon Weaver. Identifying Anomalous Port-Specific Network Behavior (CMU/SEI-2010-TR-010 ). Pittsburgh, PA: Software Engineering Institute, Carnegie Mellon University, 2010. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459
MLA
Weaver, Rhiannon. 2010. Identifying Anomalous Port-Specific Network Behavior (Technical Report CMU/SEI-2010-TR-010 ). Pittsburgh: Software Engineering Institute, Carnegie Mellon University. http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459
BibTex
@techreport{WeaverIdentifyingAnomalous2010,
title={Identifying Anomalous Port-Specific Network Behavior},
author={Rhiannon Weaver},
year={2010},
number={CMU/SEI-2010-TR-010 },
institution={Software Engineering Institute, Carnegie Mellon University},
address={Pittsburgh, PA},
url={http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=9459}
}