paul/flow-hugo
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Updating headings on every page

Browse Source
This commit is contained in:
paul
2025-08-25 13:58:31 -04:00
parent 9630a14124
commit d51591cd05
17 changed files with 136 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
content/posts/stateless-detection-of-malicious-traffic.md
View File

@@ -4,7 +4,7 @@ date: 2019-08-23
draft: false
---
# Introduction
## Introduction
In order to allow flexibility in deployment location and to preserve user privacy we have performed research into stateless classification of network traffic. Because traffic does not always follow the same path through a network, by not worrying about state, we can deploy anywhere. We also use only one direction of traffic as replies could also follow a different path through the network. And by not requiring data within the packet, we can perform analysis on encrypted traffic as well.
@@ -12,7 +12,7 @@ Our research shows that it is possible to determine if traffic is malicious by u
This post serves as an introduction to my master's thesis of the same title. [Full paper for those interested.](/security/StatelessDetectionOfMaliciousTraffic.pdf)
# What Was Done
## What Was Done
The system we developed for this research was an intrusion detection system (IDS), thus does not block any traffic. Most IDS's use specific signatures for traffic. These are inflexible and will only detect the specific attack. If the traffic is modified in any way, it will no longer be detected. Instead of signatures, our system looks at ongoing traffic patterns.
@@ -22,7 +22,7 @@ Our system differs since it uses patterns. Because of this, we cannot say for ce
We used three primary data points to determine if traffic was malicious: destination port, TTL, and packet frequency. To actually perform the classification, we used a software package called WEKA (an open source trainable algorithm) and focused on bayesnet classification.
# Conclusions
## Conclusions
While performing the research, we observed that port only usage provided the least confidence. This isn't surprising, since it will only be useful for network scans. Packet frequency proved to be a better data point for classification. It appeared that benign traffic had a burst at the beginning, with fairly regular communication for the rest of a session. Malicious traffic would have a large burst of traffic followed by nothing, or very little traffic. TTL proved to be one of the best signatures. This is due to the fact that most benign traffic is to a few locations, which are usually physically close. TTL for malicious traffic is usually smaller, either due to further physical locations, as part of the attack, or for the attacker to gain further information about the victim network.