TY - GEN
T1 - Challenges in Identifying Network Attacks Using Netflow Data
AU - Chuah, Edward
AU - Suri, Neeraj
AU - Jhumka, Arshad
AU - Alt, Samantha
PY - 2022/1/31
Y1 - 2022/1/31
N2 - Large networks often encounter attacks that can affect the network availability. While multiple techniques exist to detect network attacks, a comprehensive understanding of how an attack occurs considering the various layers and components of the network software stack, can be an important element to help improve network security. By performing correlation analysis on contemporary unlabeled Netflow data, this paper conducts a comprehensive study of network flow events to identify communication patterns that may precede an attack, thereby providing potentially useful attack signatures to network administrators. Our work shows that, surprisingly, the Netflow data is not strongly correlated to network attacks. We observe that while spoof requests trigger reflection attacks, only a small percentage of the network packets are associated with the attack. Furthermore, lead time enhancements are feasible for reflection attacks that show long dwell times. Our study on network event correlations highlights empirical observations that could facilitate better attack handling in large networks.
AB - Large networks often encounter attacks that can affect the network availability. While multiple techniques exist to detect network attacks, a comprehensive understanding of how an attack occurs considering the various layers and components of the network software stack, can be an important element to help improve network security. By performing correlation analysis on contemporary unlabeled Netflow data, this paper conducts a comprehensive study of network flow events to identify communication patterns that may precede an attack, thereby providing potentially useful attack signatures to network administrators. Our work shows that, surprisingly, the Netflow data is not strongly correlated to network attacks. We observe that while spoof requests trigger reflection attacks, only a small percentage of the network packets are associated with the attack. Furthermore, lead time enhancements are feasible for reflection attacks that show long dwell times. Our study on network event correlations highlights empirical observations that could facilitate better attack handling in large networks.
UR - https://puretest.lancaster.ac.uk/portal/en/publications/challenges-in-identifying-network-attacks-using-netflow-data(127b6a32-c8bf-47b9-be6c-5eaa5f3c571a).html
U2 - 10.1109/NCA53618.2021.9685305
DO - 10.1109/NCA53618.2021.9685305
M3 - Published conference contribution
SN - 9781665495509
SN - 9781665495516
BT - 2021 IEEE 20th International Symposium on Network Computing and Applications (NCA)
ER -