DROPS

Document

DOI: 10.4230/OASIcs.KiVS.2011.61

Improving Markov-based TCP Traffic Classification

Authors: Gerhard Münz, Stephan Heckmüller, Lothar Braun, and Georg Carle

Published in: OASIcs, Volume 17, 17th GI/ITG Conference on Communication in Distributed Systems (KiVS 2011)

Abstract

This paper presents an improved variant of our Markov-based TCP traffic classifier and demonstrates its performance using traffic captured in a university network. Payload length, flow direction, and position of the first data packets of a TCP connection are reflected in the states of the Markov models. In addition, we integrate a new "end of connection" state to further improve the classification accuracy. Using 10-fold cross validation, we identify appropriate settings for the payload length intervals and the number of data packets considered in the models. Finally, we discuss the classification results for the different applications.

Cite as

Gerhard Münz, Stephan Heckmüller, Lothar Braun, and Georg Carle. Improving Markov-based TCP Traffic Classification. In 17th GI/ITG Conference on Communication in Distributed Systems (KiVS 2011). Open Access Series in Informatics (OASIcs), Volume 17, pp. 61-72, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2011)

Copy BibTex To Clipboard

@InProceedings{munz_et_al:OASIcs.KiVS.2011.61,
  author =	{M\"{u}nz, Gerhard and Heckm\"{u}ller, Stephan and Braun, Lothar and Carle, Georg},
  title =	{{Improving Markov-based TCP Traffic Classification}},
  booktitle =	{17th GI/ITG Conference on Communication in Distributed Systems (KiVS 2011)},
  pages =	{61--72},
  series =	{Open Access Series in Informatics (OASIcs)},
  ISBN =	{978-3-939897-27-9},
  ISSN =	{2190-6807},
  year =	{2011},
  volume =	{17},
  editor =	{Luttenberger, Norbert and Peters, Hagen},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/OASIcs.KiVS.2011.61},
  URN =		{urn:nbn:de:0030-drops-29582},
  doi =		{10.4230/OASIcs.KiVS.2011.61},
  annote =	{Keywords: Markov model, TCP Traffic Classification, network}
}

Document

DOI: 10.4230/DagSemProc.08102.5

5. 08102 Working Group – Measurement Requirements

Authors: Lothar Braun, Thorsten Braun, Georg Carle, Falko Dressler, Anja Feldmann, Dirk Haage, Tobias Limmer, and Tanja Zseby

Published in: Dagstuhl Seminar Proceedings, Volume 8102, Perspectives Workshop: Network Attack Detection and Defense (2008)

Abstract

The objective of this working group was to derive measurement requirements and challenges that originate from intrusion detection.

Cite as

Lothar Braun, Thorsten Braun, Georg Carle, Falko Dressler, Anja Feldmann, Dirk Haage, Tobias Limmer, and Tanja Zseby. 5. 08102 Working Group – Measurement Requirements. In Perspectives Workshop: Network Attack Detection and Defense. Dagstuhl Seminar Proceedings, Volume 8102, pp. 1-4, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2008)

Copy BibTex To Clipboard

@InProceedings{braun_et_al:DagSemProc.08102.5,
  author =	{Braun, Lothar and Braun, Thorsten and Carle, Georg and Dressler, Falko and Feldmann, Anja and Haage, Dirk and Limmer, Tobias and Zseby, Tanja},
  title =	{{5. 08102 Working Group – Measurement Requirements}},
  booktitle =	{Perspectives Workshop: Network Attack Detection and Defense},
  pages =	{1--4},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2008},
  volume =	{8102},
  editor =	{Georg Carle and Falko Dressler and Richard A. Kemmerer and Hartmut K\"{o}nig and Christopher Kruegel},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.08102.5},
  URN =		{urn:nbn:de:0030-drops-14962},
  doi =		{10.4230/DagSemProc.08102.5},
  annote =	{Keywords: Intrusion detection and prevention, attack response and countermeasures, reactive security, automated security, survivability and self-protection, ma network monitoring, flow analysis, denial of service detection and response, event correlation}
}

@InProceedings{braun_et_al:DagSemProc.08102.5,
  author =	{Braun, Lothar and Braun, Thorsten and Carle, Georg and Dressler, Falko and Feldmann, Anja and Haage, Dirk and Limmer, Tobias and Zseby, Tanja},
  title =	{{5. 08102 Working Group – Measurement Requirements}},
  booktitle =	{Perspectives Workshop: Network Attack Detection and Defense},
  pages =	{1--4},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2008},
  volume =	{8102},
  editor =	{Georg Carle and Falko Dressler and Richard A. Kemmerer and Hartmut K\"{o}nig and Christopher Kruegel},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.08102.5},
  URN =		{urn:nbn:de:0030-drops-14962},
  doi =		{10.4230/DagSemProc.08102.5},
  annote =	{Keywords: Intrusion detection and prevention, attack response and countermeasures, reactive security, automated security, survivability and self-protection, ma network monitoring, flow analysis, denial of service detection and response, event correlation}
}

Document

DOI: 10.4230/DagSemProc.08102.6

6. 08102 Working Group – Requirements for Network Monitoring from an IDS Perspective

Authors: Lothar Braun, Falko Dressler, Thorsten Holz, Engin Kirda, Jan Kohlrausch, Christopher Kruegel, Tobias Limmer, Konrad Rieck, and James Sterbenz

Published in: Dagstuhl Seminar Proceedings, Volume 8102, Perspectives Workshop: Network Attack Detection and Defense (2008)

Abstract

Detection of malicious traffic is based on its input data, the information that is co-ming from network-based monitoring systems. Best detection rates would only be possible by monitoring all data transferred over all network lines in a distributed net-work. Monitoring and reporting this amount of data are feasible in neither today's, nor will be in future's systems. Later analysis like stateful inspection of the traffic imposes even more processing costs. But only at this level of monitoring and analysis there may be a chance to capture all attacks inside a system. So there needs to be a trade-off between detection success and the processing costs.

Cite as

Lothar Braun, Falko Dressler, Thorsten Holz, Engin Kirda, Jan Kohlrausch, Christopher Kruegel, Tobias Limmer, Konrad Rieck, and James Sterbenz. 6. 08102 Working Group – Requirements for Network Monitoring from an IDS Perspective. In Perspectives Workshop: Network Attack Detection and Defense. Dagstuhl Seminar Proceedings, Volume 8102, pp. 1-4, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2008)

Copy BibTex To Clipboard

@InProceedings{braun_et_al:DagSemProc.08102.6,
  author =	{Braun, Lothar and Dressler, Falko and Holz, Thorsten and Kirda, Engin and Kohlrausch, Jan and Kruegel, Christopher and Limmer, Tobias and Rieck, Konrad and Sterbenz, James},
  title =	{{6. 08102 Working Group – Requirements for Network Monitoring from an IDS Perspective}},
  booktitle =	{Perspectives Workshop: Network Attack Detection and Defense},
  pages =	{1--4},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2008},
  volume =	{8102},
  editor =	{Georg Carle and Falko Dressler and Richard A. Kemmerer and Hartmut K\"{o}nig and Christopher Kruegel},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.08102.6},
  URN =		{urn:nbn:de:0030-drops-14970},
  doi =		{10.4230/DagSemProc.08102.6},
  annote =	{Keywords: Intrusion detection and prevention, attack response and countermeasures, reactive security, automated security, survivability and self-protection, ma network monitoring, flow analysis, denial of service detection and response, event correlation}
}

@InProceedings{braun_et_al:DagSemProc.08102.6,
  author =	{Braun, Lothar and Dressler, Falko and Holz, Thorsten and Kirda, Engin and Kohlrausch, Jan and Kruegel, Christopher and Limmer, Tobias and Rieck, Konrad and Sterbenz, James},
  title =	{{6. 08102 Working Group – Requirements for Network Monitoring from an IDS Perspective}},
  booktitle =	{Perspectives Workshop: Network Attack Detection and Defense},
  pages =	{1--4},
  series =	{Dagstuhl Seminar Proceedings (DagSemProc)},
  ISSN =	{1862-4405},
  year =	{2008},
  volume =	{8102},
  editor =	{Georg Carle and Falko Dressler and Richard A. Kemmerer and Hartmut K\"{o}nig and Christopher Kruegel},
  publisher =	{Schloss Dagstuhl -- Leibniz-Zentrum f{\"u}r Informatik},
  address =	{Dagstuhl, Germany},
  URL =		{https://drops.dagstuhl.de/entities/document/10.4230/DagSemProc.08102.6},
  URN =		{urn:nbn:de:0030-drops-14970},
  doi =		{10.4230/DagSemProc.08102.6},
  annote =	{Keywords: Intrusion detection and prevention, attack response and countermeasures, reactive security, automated security, survivability and self-protection, ma network monitoring, flow analysis, denial of service detection and response, event correlation}
}

Search Results

Documents authored by Braun, Lothar

Improving Markov-based TCP Traffic Classification

Abstract

Cite as

5. 08102 Working Group – Measurement Requirements

Abstract

Cite as

6. 08102 Working Group – Requirements for Network Monitoring from an IDS Perspective

Abstract

Cite as

Thanks for your feedback!

Could not send message