Characterising Anomalous Events Using Change - Point Correlation on Unsolicited Network Traffic

Date Added: Aug 2009
Format: PDF

Monitoring unused or dark IP addresses offers opportunities to extract useful information about both on-going and new attack patterns. In recent years, different techniques have been used to analyze such traffic including sequential analysis where a change in traffic behavior, for example change in mean, is used as an indication of malicious activity. Change points themselves say little about detected change; further data processing is necessary for the extraction of useful information and to identify the exact cause of the detected change which is limited due to the size and nature of observed traffic. In this paper, the authors address the problem of analyzing a large volume of such traffic by correlating change points identified in different traffic parameters.