Trend Analysis of Snort Alarms |
Network intrusions have been active topic for researches for many years. However, in order to
Chantawutt K, Ghita BV
gain insight into the nature of the current threat on the Internet is challenging. This paper,
addresses this problem by systematically analysing a set of traffic trace collected over three
months in front of the firewall at the Internet gateway of the University of Plymouth. The
motivation of this study is to quantitatively understand the nature of the current Internet threat
which leads to long-term analyses of trends and the recurring patterns of attacks. In the study,
fundamental features of intrusions activities was investigated by evaluating the log data along
a number of aspects (e.g. daily volume of intrusion attempts, the source and destination of the
intrusion attempts and specific type of intrusion attempts, etc.). The result of the study shows
both a large quantity and wide variety of intrusion attempts. It also shows that numerous
amount of denial of service and ICMP scanning activities can be detected as common threats
on the Internet. The patterns of these activities can be found at daily timescale and the on/off
patterns exhibit recurrence of correlated behaviours. Furthermore, worms like SLAMMER and
Sasser.D still persist on the Internet long after their original release. Deeper investigation
reveals that sources of intrusions spread all over the globe. However, a major proportion of
intrusions are from China. Also a very small proportion of sources were responsible for a
significant portion of intrusion attempts for a given period of time.