This half-day tutorial will give an overview of how traffic data is collected and analyzed for security applications. The tutorial is organized into four major parts. The first part presents an introduction to various network-based security threats including scans, viruses, worms, spyware, and denial of service attacks. This part is essential background to understanding how these attacks typically generate specific patterns of traffic that is different and distinguishable from legitimate traffic. The success of traffic analysis depends on the observation that malicious traffic behaves in a uniquely identifiable way.
The second part of the tutorial describes how traffic data is monitored and collected from various points in the network, such as sniffers, routers, firewalls, intrusion detection systems, and honeypots. Descriptions will include illustrations with examples of open-source and proprietary software tools.
The third part of the tutorial shows methods to analyze traffic data at the packet, flow, and session levels. The processing of protocol header information in packets at the IP, TCP, and other protocol layers is described. The necessity of parsing and filtering the (usually voluminous) raw traffic data is motivated, with examples of relevant software tools.
The last part of the tutorial describes interpretation of traffic data to detect intrusions based on known signatures or behavior anomalies. Examples of manifestations of scans, backdoors, viruses, worms, and other types of attacks are shown. Finally, the tutorial will be concluded with a summary of current difficulties and limitations of traffic analysis for security.
Thomas M. Chen is an associate professor in the Department of Electrical Engineering at Southern Methodist University in Dallas, Texas. He received the BS and MS degrees in electrical engineering from the Massachusetts Institute of Technology in 1984, and the PhD in electrical engineering from the University of California, Berkeley, in 1990. He is currently the editor-in-chief of IEEE Communications Magazine, a senior technical editor for IEEE Network, past associate editor for ACM Transactions on Internet Technology, and past founding editor of IEEE Communications Surveys. Prior to joining SMU, he was a senior member of the technical staff at GTE Laboratories (now Verizon Labs). He is the co-author of ATM Switching Systems (Artech House, 1995). He was the recipient of the IEEE Communications Society's Fred W. Ellersick best paper award in 1996.