Flow Based Observations from NETI@home and Honeynet Data

Grizzard, Julian B.; Simpson, Charles Robert, Jr.; Krasser, Sven; Owen, Henry L., III; Riley, George F.

View/Open

MANIACS_20.pdf (1.158Mb)

Date

2005-06

Author

Grizzard, Julian B.

Simpson, Charles Robert, Jr.

Krasser, Sven

Owen, Henry L., III

Riley, George F.

Metadata

Show full item record

Abstract

We conduct a flow based comparison of honeynet traffic, representing malicious traffic, and NETI@home traffic, representing typical end user traffic. We present a cumulative distribution function of the number of packets for a TCP flow and learn that a large portion of these flows in both datasets are failed and potentially malicious connection attempts. Next, we look at a histogram of TCP port activity over large time scales to gain insight into port scanning and worm activity. One key observation is that new worms can linger on for more than a year after the initial release date. Finally, we look at activity relative to the IP address space and observe that the sources of malicious traffic are spread across the allocated range.

URI

http://hdl.handle.net/1853/13149

Collections

MANIACS Publications [35]