Characterizing Network Flows for Detecting DNS, NTP, and SNMP Anomalies

Network security can never be assured fully as new attacks are reported every day. Characterizing such new attacks is a challenging task. For detecting anomalies based on specific services, it is desirable to find characteristic features for those service specific anomalies. In this paper, real-time flow-based network traffic captured from a university campus is studied to find if the traditional volume-based analysis of aggregated flows and service specific aggregated flows is useful in detecting service specific anomalies or not. Two existing techniques are also evaluated to find characteristic features of these anomalies. The service specific anomalies: DNS, NTP, and SNMP are considered for study in this paper.