Internet traffic analysis

Abstract

This report presents two models that are used to detect the user abnormal behavior and network intrusion respectively. The user abnormal behavior detection model uses the pattern-matching techniques to identify the user. The intrusion detection model detects intrusion based on known intrusion patterns and normal Internet traffic parameters.

The process of user abnormality detection is to first collect and analyze user input and internet traffic information, classify the user activities to specific types and build signatures database of each activity type. Then users are identified by those signatures after login. The signature consists of the user input signature and the internet traffic information.

The intrusion detection model aims to detect intrusion based on normal internet traffic parameters and operational values. Since Denial-of-service is one of the intrusions that can be easily launched and pose great threat to network and workstations, therefore, the model focus on detecting DOS attack. TCP flood attack and ICMP flood attack are simulated for intrusion detection testing.

The functionality of these two models is to provide a more secure working and network environment for individuals continuously.