You are here: Home Contents V7 N3 V7N3_Chantawut.html
Personal tools

Statistical analysis of Snort alarms for a medium-sized network



Full text

Journal of Information Systems Security
Volume 7, Number 3 (2011)
Pages 1731
ISSN 1551-0123 (Print)
ISSN 1551-0808 (Online)
Kitti Chantawut — University of Plymouth, UK
Bogdan Ghita — University of Plymouth, UK
Information Institute Publishing, Washington DC, USA




Statistical analysis of network intrusions has been an active topic for researches for many years. However, due to the complexity and security concerns associated with the Internet, this area of research remains challenging, from the monitored networks and methodology used to the focus of the analysis and presentation of the results. This paper aims to provide additional insight into this area by analysing a set of IDS alarms collected over a period of three months from the external interface of the edge router at the University of Plymouth. The motivation of this study is to quantitatively classify and understand the nature of current Internet threats, as observed at a medium stub network, leading to long-term analysis of trends and recurring patterns of attacks. In the study, fundamental features of intrusions activities are investigated through a number of characteristics, from the daily volume of intrusion attempts to the source/destination of the intrusion attempts as well as the specific attack type. The results of the study show high levels and wide variety of intrusion attempts. It also shows that the attacks reflect daily timescales and the on/off patterns exhibit recurrence of correlated behaviours. Furthermore, the Slammer worm appears to feature on the Internet long after its original release. Deeper investigation reveals that the sources of attacks spread uniformly, apart from a large proportion of intrusions generated by a small number of IP addresses located in China.




Trend Analysis, Intrusion Detection System, Snort, Slammer




Hideshima, Y. and Koike, H. (2006). STARMINE : A Visualization System for Cyber Attacks. In Proc. Asia Pacific Symposium on Information Visualisation (APVIS2006), Tokyo, Japan. CRPIT, 60. MISUE, K., SUGIYAMA, K. and TANAKA, J., Eds. ACS, pp. 131-138.

Jouni, V., Herv, D., Ludovic, M., Anssi, L. & Mika, T. (2009) Processing intrusion detection alert aggregates with time series modeling. Information Fusion, 10, pp. 312-324.

Kim, D., Lee, T., Jung, D., In, P. H., Lee, H. J. (2007) Cyber Threat Trend Analysis Model Using HMM. Information Assurance and Security, International Symposium on, The Third International Symposium on Information Assurance and Security.

Koukis, D., Et Al., (2006) A Generic Anonymyzation Framework for Network Traffic. Communications, 2006. ICC '06. , 5, pp. 2302-2309.

NIST/SEMATECH (2006) e-Handbook of Statistical Methods. The National Institute of Standards and Technology (NIST),

Wu, Q., Shao, Z (2005) Network Anomaly Detection Using Time Series Analysis. Proceedings of the Joint International Conference on Autonomic and Autonomous Systems and International Conference on Networking and Services. IEEE Computer Society.

Yegneswaran, V., Barford, P., Ullrich, J. (2003) Internet intrusions: global characteristics and prevalence. Proceedings of the 2003 ACM SIGMETRICS international Conference on Measurement and Modeling of Computer Systems. San Diego, CA, USA, ACM.