Statistical analysis of Snort alarms for a medium-sized network |
Statistical analysis of network intrusions has been an active topic for researches for many years. However, due to the complexity and security concerns associated with the Internet, this area of research remains challenging, from the monitored networks and methodology used to the focus of the analysis and presentation of the results. This paper aims to provide additional insight into this area by analysing a set of IDS alarms collected over a period of three months from the external interface of the edge router at the University of Plymouth. The motivation of this study is to quantitatively classify and understand the nature of current Internet threats, as observed at a medium stub network, leading to long-term analysis of trends and recurring patterns of attacks. In the study, fundamental features of intrusions activities are investigated through a number of characteristics, from the daily volume of intrusion attempts to the source/destination of the intrusion attempts as well as the specific attack type. The results of the study show high levels and wide variety of intrusion attempts. It also shows that the attacks reflect daily timescales and the on/off patterns exhibit recurrence of correlated behaviours. Furthermore, the Slammer worm appears to feature on the Internet long after its original release. Deeper investigation reveals that the sources of attacks spread uniformly, apart from a large proportion of intrusions generated by a small number of IP addresses located in China.
Chantawutt K, Ghita BV