GGrantIndex
← Search

SGER: Behavioral Authentication of Server Flows

$49,198FY2004CSENSF

Tufts University, Medford MA

Investigators

Abstract

SGER: Behavioral Authentication of Server Flows for Detection of Anomalous Communication Patterns The goal of this project is to develop methods for analyzing traffic behavior of server flows to detect anomalous communication patterns. Prior work in data mining applied to computer security was geared at finding attack packets, whereas this research aims to find patterns of traffic that indicate anomalous behavior of an application-layer protocol. Traditional methods for determining traffic type rely on the port label carried in the TCP/UDP packet header. This method can fail, however, in the presence of proxy servers that re-map port numbers, or host services that have been compromised to act as back doors or covert channels. The basis for this exploratory project is the classification of TCP server stream traffic using features that capture stream behavior. The features are independent of port label, and therefore, provide a more accurate classification of traffic type in the presence of malicious activity. An exciting new direction in this research is the authentication of server flows to detect anomalous and potentially malicious behavior. This research addresses the need for authentication of the application-layer protocol. Because most intrusion detection systems and firewalls rely on knowing the application protocol for determining whether to permit the traffic and for discovering malicious behavior, this research fills a critical gap in current information security technology. The expected results will have broad impact in a wide range of applications that critically depend on reliable, effective and efficient information security. Results of this project will accessible on the project web site http://mow.ecn.purdue.edu/~lrn/, and disseminated at Security Conferences.

View original record on NSF Award Search →