Slow scan detector – Sessionizer software design

PDF

Authors
  1. Henderson, G.
Corporate Authors
Defence R&D Canada - Ottawa, Ottawa ONT (CAN);Bell Canada, Ottawa Ont (CAN) ICT
Abstract
The Network Information Operations Section at DRDC Ottawa has developed a proof-of-concept low-profile scan detection engine using the MATLAB programming environment. It reads network traffic from pcap format files using custom-built interfaces to the pcap libraries and separates the traffic into connections (TCP) or sessions (UDP/ICMP). Anomalous connections are then processed to identify scans, including those that are slow and/or distributed. In this work, a software framework was designed where the traffic sessionizer module is written in C++ to increase the processing speed for use in an operational environment. The sessionizer module interfaces with MATLAB to perform the scan detection. The system and sessionizer software are described in detail herein.

Il y a un résumé en français ici.

Report Number
DRDC-OTTAWA-CR-2008-285 — Contractor Report
Date of publication
01 Apr 2009
Number of Pages
60
DSTKIM No
CA032269
CANDIS No
531361
Format(s):
CD ROM

Permanent link

Document 1 of 1

Date modified: