Summary |
Proposed system implements a correlated network behaviors based on Netflow, which improves the accuracy of original single Netflow. IP behaviors are considered in three aspects—event, time, and space. And find out the malicious connections, issue an alarm, and defense in time. When the internal IP has started to attack, proposed system can trace back the malicious connection that the host IP had been connected in the period and even find out other potential victims in the LAN. In the event correlation, the characteristics of 4 attacks were proposed and calculated as a risk level, showing the damage of the attack. |
Scientific Breakthrough |
Using the technology of flow pair can mitigate the false positive rate from original one direction netflow records and increase the accuracy. Pairing the IPs with the same source, port, correlated with event, time, space can find the potential victims . |
Industrial Applicability |
Using artificial intelligence and correlation analysis to capture the signature of the network behaviors, the suspicious host and behaviors can be found in the early stage of the attack. Reduce the cost of human and financial after the attack were captured. Proposed system can be applied to campus networks, corporate networks, government networks. |