Abstract
Large networks often encounter attacks that can affect the network availability. While multiple techniques exist to detect network attacks, a comprehensive understanding of how an attack occurs considering the various layers and components of the network software stack, can be an important element to help improve network security. By performing correlation analysis on contemporary unlabeled Netflow data, this paper conducts a comprehensive study of network flow events to identify communication patterns that may precede an attack, thereby providing potentially useful attack signatures to network administrators. Our work shows that, surprisingly, the Netflow data is not strongly correlated to network attacks. We observe that while spoof requests trigger reflection attacks, only a small percentage of the network packets are associated with the attack. Furthermore, lead time enhancements are feasible for reflection attacks that show long dwell times. Our study on network event correlations highlights empirical observations that could facilitate better attack handling in large networks.
| Original language | English |
|---|---|
| Title of host publication | 2021 IEEE 20th International Symposium on Network Computing and Applications (NCA) |
| Publisher | IEEE Explore |
| Number of pages | 10 |
| ISBN (Electronic) | 9781665495509 |
| ISBN (Print) | 9781665495516 |
| DOIs | |
| Publication status | Published - 31 Jan 2022 |
Bibliographical note
This work is conducted, in part, under the auspices of theEU Horizon 2020 Research and Innovation program under
Grant Agreement No. 830927 (CONCORDIA) and by Security
Lancaster under the EPSRC grant EP/V026763/1.