A Traffic Analysis Using Cardinalities and Header Information

Abstract

Recently, the variety and vastness of computer networks have increased rapidly. To keep networks stable and reliable, network administrators have to understand the nature of network traffic flows. We have developed a cardinality-analysis method that analyzes cardinalities in TCP/IP headers. The cardinalities can be used to detect abnormal traffic such as DDoS attacks and Internet worms. However there is much unclassified traffic remaining. In this paper, we propose further analysis that consists of two parts: 1) select service port numbers and 2) analyze the volume of inflow and outflow for each service along with packet sizes. The method proposed can analyze the behavior of hosts and services in detail. We applied the proposed analysis to the traffic captured at the University of Tsukuba’s campus network and demonstrated the ability of classifying services into four groups: download type, upload type, both way type, and control or real time communication type, which normally can’t be classified by cardinality analysis.