ASTUTE is a very recently published automatic detection method for sensing anomalous traffic over a network link based on the assumption that, in normal traffic, flows are independent and the net change of all flows over time is close to zero. The authors of ASTUTE show that the method is significantly better than previous ones at discovering deviant traffic that involves many small flows, whereas previous methods perform better at finding anomalies resulting from a few large flows. From my initial reading, ASTUTE seem especially suited to discovering problems related to a variety of network issues, including misconfigured or misbehaving applications, saturated links, problems with BGP routing, offline servers and orphaned clients, and so on. This seems to be because ASTUTE looks at TCP traffic at a very high level, makes certain assumptions about how TCP flows work in aggregate, and does little to analyze individual flows. ASTUTE's strengths appear to make it an excellent tool for trying to understand network traffic at a very high level over time.
On the other hand, ASTUTE seems less well equipped to be used as a security measure in detecting malicious flows. First of all, bots in a botnet are often spread out across multiple networks, so that most activities of the collective botnet are unlikely to be detected across a single flow. Second, most malicious software, with the exception of port scanners, doesn't do anything that would look abnormal from a TCP flow level. For instance, how could the communication of nodes in a botnet look relative to hosts interacting with a video game server? How would distributed file transfer between infected hosts be distinguished from a legitimate peer-to-peer file transfer? As a final example, how would single-host applications like keyloggers appear different from a chat or VOIP client that works through an intermediate server?
Overall, ASTUTE seems well positioned to assist a network administrator in understanding many types of traffic in his network, even if not the malicious kinds.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment