Browse Prior Art Database

DETECTING MALICIOUS NETWORK BEHAVIOR USING ONLY TCP FLAG INFORMATION

IP.com Disclosure Number: IPCOM000238173D
Publication Date: 2014-Aug-06

Publishing Venue

The IP.com Prior Art Database

Related People

Martin Grill: AUTHOR

Abstract

A solution is presented herein that utilizes the information in aggregated IP Flags values provided by the NetFlow protocol. Information is extracted and used to identify anomalous Internet Protocol (IP) addresses, and the beginning of large-scale (possibly coordinated) attacks. The detector is extremely fast and simple, allowing standalone operation or inclusion in ensemble systems. In an ensemble context, the detector helps to improve the overall achievable efficacy because ensemble systems make the most of detector variety.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 9% of the total text.

Page 01 of 21

DETECTING MALICIOUS NETWORK BEHAVIOR USING ONLY TCP FLAG INFORMATION

AUTHORS:

Martin Grill

CISCO SYSTEMS, INC.

ABSTRACT

    A solution is presented herein that utilizes the information in aggregated IP Flags values provided by the NetFlow protocol. Information is extracted and used to identify anomalous Internet Protocol (IP) addresses, and the beginning of large-scale (possibly coordinated) attacks. The detector is extremely fast and simple, allowing standalone operation or inclusion in ensemble systems. In an ensemble context, the detector helps to improve the overall achievable efficacy because ensemble systems make the most of detector variety.

DETAILED DESCRIPTION

    This solution identifies malicious Transmission Control Protocol (TCP)/IP network traffic using unsupervised anomaly analysis. The advantage of unsupervised methods over the more common supervised ones in this area are: a) the ability to identify both known and unknown incidents, b) faster applicability as there is no extensive training phase necessary. Unsupervised methods are, however, still limited in accuracy when compared to supervised ones, thus any improvement in this area is valuable.

    Since the Transmission Control Protocol (TCP) is a stateful protocol, the purpose of each packet can be determined. The TCP flags indicate different connection states or information about how a packet should be handled. These states are encoded by nine binary flags (NS, CWR, ECE, URG, ACK, PSH, RST, SYN, FIN). In benign network traffic, these flags appear in well defined orderings (e.g., SYN, SYN ACK, and ACK are used during the three-way handshake, which establishes a TCP connection). On the other hand, malicious attacks can be characterized by non-standard IP flag sequences (e.g., SYN Flood is a type of Denial of Service (DoS) attack by sending only SYN packets and

Copyright 2014 Cisco Systems, Inc.
1


Page 02 of 21

not answering to ACK packets, leaving the connections open and filling server buffer). For a comprehensive list of common IP Flags sequences, both benign and malicious, see Table 1.

    The presented anomaly detection method uses only TCP flag information contained in NetFlow, which limits the method exclusively to TCP communication (other protocols are skipped). The statistics are calculated from NetFlow records from the interval of 5 minutes. This choice was made on the basis of the related works showing 5- minute intervals result in good performance.

    The network is modeled by distribution of TCP flags of flows aggregated by source or destination IP address. This means that two different models are created for source and destination IP. Since the models differ only in the aggregation, such models are explained on the aggregation with respect to source IP address. Next, this indicates that only anomalies on the IP level, and not the flow level, can be identified. In other words, only anomalous IPs and not the anomalous NetFlows in each time window can be labeled. Variou...