Traffic Analysis of UDP-Based Flows in Ourmon Portland State University - Computer Science Technical Report - 0807

Executive Summary

This paper presents a custom UDP flow tuple with an IP address key and a set of simple related statistical attributes. Attributes are used to calculate a per host metric called the UDP work weight which roughly measures the amount of network noise caused by a host. The work weight is used to produce a near real-time sorted top N report for UDP host tuples. The paper also presents a derived attribute based on an algorithm called the UDP guesstimator. The UDP guesstimator roughly classifies port report hosts into various traffic categories including security threats (DOS/scanning) or P2P hosts based on high UDP work weights and other flow attributes.

