Detecting malicious activities through port profiling

Makoto Iguchi; Shigeki Goto

Detecting malicious activities through port profiling

Makoto Iguchi, Shigeki Goto

Research output: Contribution to journal › Article › peer-review

Abstract

This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

Original language	English
Pages (from-to)	784-792
Number of pages	9
Journal	IEICE Transactions on Information and Systems
Volume	E82-D
Issue number	4
Publication status	Published - 1999

Keywords

Auditing
Intrusion detection
Network surveillance
Profiling

ASJC Scopus subject areas

Information Systems
Computer Graphics and Computer-Aided Design
Software

Access to Document

Fingerprint Dive into the research topics of 'Detecting malicious activities through port profiling'. Together they form a unique fingerprint.

Cite this

@article{4dfc52f9e16f4423a3fad4793e326500,

title = "Detecting malicious activities through port profiling",

abstract = "This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.",

keywords = "Auditing, Intrusion detection, Network surveillance, Profiling",

author = "Makoto Iguchi and Shigeki Goto",

year = "1999",

language = "English",

volume = "E82-D",

pages = "784--792",

journal = "IEICE Transactions on Information and Systems",

issn = "0916-8532",

publisher = "Maruzen Co., Ltd/Maruzen Kabushikikaisha",

number = "4",

}

TY - JOUR

T1 - Detecting malicious activities through port profiling

AU - Iguchi, Makoto

AU - Goto, Shigeki

PY - 1999

Y1 - 1999

N2 - This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

AB - This paper presents a network surveillance technique for detecting malicious activities. Based on the hypothesis that unusual conducts like system exploitation will trigger an abnormal network pattern, we try to detect this anomalous network traffic pattern as a sign of malicious, or at least suspicious activities. Capturing and analyzing of a network traffic pattern is implemented with a concept of port profiling, where measures representing various characteristics of connections are monitored and recorded for each port. Though the generation of the port profiles requires the minimum calculation and memory, they exhibit high stability and robustness. Each port profile retains the patterns of the corresponding connections precisely, even if the connections demonstrate multi-modal characteristics. By comparing the pattern exhibited by live traffic with the expected behavior recorded in the profile, intrusive activities like compromising backdoors or invoking trojan programs are successfully detected.

KW - Auditing

KW - Intrusion detection

KW - Network surveillance

KW - Profiling

UR - http://www.scopus.com/inward/record.url?scp=0033329099&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0033329099&partnerID=8YFLogxK

M3 - Article

AN - SCOPUS:0033329099

VL - E82-D

SP - 784

EP - 792

JO - IEICE Transactions on Information and Systems

JF - IEICE Transactions on Information and Systems

SN - 0916-8532

IS - 4

ER -