You are here

Data Mining – Detection and isolation of events using transformations

There is a variety of tools to filter packets from a network. One of the most popular ones is the Berkeley Packet Filter (BPF). All such filters are based on static descriptions, e.g., fixed source ports or fixed subnets of IP addresses. These methods work well for most types of network traffic, but there are cases in which a wider variety of applications may be appropriate. In this paper we will introduce a new analysis tool which will allow us to do a time-dependent analysis. One of the advantages of this method is that it enables us to loosen the relationship of the packet to it.s IP source address. We will show that we can distinguish between traffic from different machines even if they have the same source address (e.g., NAT router) and that we can detect traffic from the same machine, even if the IP source address had changed. Many other analysis are possible. The basic concept behind this new filter is that it will try to detect any type of linear relationship in the data, independent of nuisance factors as white noise, etc.

Autoren: 
Dr. Alexander Schinner
Journal: 
SANS GCIA Practical ver 3.5
Datum: 
24.4.2004