Startseite // SnT // Distinguishe... // Characterizing Very Low Frequency Internet Traffic - May 15, 2009

Characterizing Very Low Frequency Internet Traffic - May 15, 2009

It is our pleasure to host this distinguished lecture by Prof. John Mc Hugh from the Canada Research Chair in Privacy and Security at Dalhousie University in Halifax. The lecture will be followed by a reception. Please, feel free to forward this invitation.

Abstract: For a number of years, we have observed that NetFlow data collected at the border between an enterprise network and the outside world contains large numbers of flows from external addresses that reappear infrequently, if at all. From February 2006 until March 2007, we monitored the border of a /22 with less than 100 active hosts.During this period, nearly 13 million distinct outside addresses appeared on inbound traffic. Of these over 6 million (49%) appeared as the source address on a single NetFlow and sources associated with 10 or fewer flows account for over 90% of the addresses seen. These sources represent about 20% of the total flows but only about 1% of the packets that make up the flows. This paper describes the data in more detail and presents our findings, based on a broad examination of the low frequency flow records. The study has impacts in a number of areas, including long term archiving of network data and stateful intrusion detection. In addition, it serves as a reminder of the complexity of internet traffic.

Prof. John McHughis the Canada Research Chair in Privacy and Security at Dalhousie University in Halifax, NS where he leads the Privacy and Security Laboratory. He is currently on research leave at the University of North Carolina in Chapel Hill. Prior to joining Dalhousie, he was a senior member of the technical staff with the CERT Situational Awareness Team, where he did research in survivability, network security, and intrusion detection. Recently, he has been involved in the analysis of large scale network flow data and is working with a team of researchers at Dalhousie and CA to develop network data visualization tools in support of the U.S. Department of Homeland Security. He was a professor and former chairman of the Computer Science Department at Portland State University in Portland, Oregon. His research interests include computer security, software engineering, and programming languages. He has previously taught at The University of North Carolina and at Duke University. He was the architect of the Gypsy code optimizer and the Gypsy Covert Channel Analysis tool. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.