Detecting network intrusions via a statistical analysis of network packet characteristics

Abstract

With the growing threat of abuse of network resources, it be- comes increasingly important to be able to detect malformed packets on a network and estimate the damage they can cause. Carefully constructed, certain types of packets can cause a victim host to crash while other pack- ets may be sent only to gather necessary information about hosts and net- works and can be viewed as a prelude to attack. In this paper, we collect and analyze all of the IP and TCP packets seen on a network that ei- ther violate existing standards or should not appear in modern internets. Our goal is to determine what these suspicious packets mean and evaluate what proportion of such packets can cause actual damage. Thus, we divide unusual packets obtained during our experiments into several categories depending on the severity of their consequences, including indirect conse- quences as a result of information gathering, and show the results. The traces analyzed were gathered at Ohio University's main Internet link, providing a massive amount of statistical data.