Author(s)

C. Caruso & D. Malerba

Abstract

The necessary spread of the access points to network services makes them vulnerable to many potential and different types of attackers: script kiddies, hackers, and misfeasors. Although the network services produce a great quantity of data logged by hosts, it is impossible for a security officer, and generally for a network administrator, to monitor daily generated traffic in order to control attacks. Currently a LAN is defended with a mixture of solutions adopted at different levels. Commercial firewalls typically use descriptive statistics to give the security officer information about the quantitative characteristics of the TCP/IP traffic as a whole. In this work, we generate information on the \“profile” of connections by means of clustering techniques. This approach makes the security officer able to detect connections that are far away from the mass. We use different clustering techniques in order to study their response for this type of problem. Results on real traffic data are reported and commented. Keywords: live network traffic analysis, anomaly detection, intrusion detection, clustering, data preprocessing. 1 Introduction For a network administrator it is important to have a complete description of the connections behaviour so to understand the development of his/her own network. This aspect is becoming more and more relevant and in fact commercial firewalls include modules which, though the computation of simple descriptive statistics, try to inform the security officer on the qualitative nature of network traffic. Firewalls have no means to give information about the mass of connections. The built-in modules permit to analyse every aspect of packet streams; some firewalls also possess an SQL dialect to query its own logs but SQL queries give answers about something the user already know or \“suspect”.

Keywords

live network traffic analysis, anomaly detection, intrusion detection, clustering, data preprocessing.