Research On Behavior Characteristics Of Superpoints And Algorithms For Detecting Superpoints

A superpoint is a host that contacts at least a given number of distinct destination hosts or source hosts within a measurement period. With the rapid development of Internet, Internet attacks such as port scanning, distributed denial of service attack and worms are increasing in severity. These attacks have endangered network security, and even led to the network paralysis. The common characteristics of these attacks are that a source/destination host sends or receives packets to or from a large number of distinct destination/source hosts in a short time. Detecting superpoints can detect these Internet attacks. Therefore, the real-time identification of superpoints is very important for network security management.The behavioral characteristics of superpoints and algorithms for detecting superpoints are researched in this paper. The behavioral characteristics contain two aspects:the flow characteristics and port characteristics. The flow characteristics follow heavy-tailed distribution. The number of mice flows is much greater than that of elephant flows. The communication ports used by superpoints contain service ports and attack ports. We find that most of communication ports are service ports. The number of ports that send mice flow is much greater than the number of ports that send elephant flow.To improve the accuracy of detecting superpoints, an algorithm for detecting superpoints based on counter sharing is proposed in this paper. The proposed algorithm in this paper can reduce the memory consumption because it applies the idea of counter sharing. It consists of two modules:online processing module and offline processing module. Online processing module is responsible for storing the information of flows. When a packet arrives, online processing module first determines whether the packet belongs to a new flow or not.If the packet belongs to a new flow, it will be stored to the three counter arrays. If not, the packet will be discarded. Offline processing module is responsible for estimating the cardinality of hosts. If the estimated cardinality of a host is bigger than the predefined threshold, then the host will be considered as a superpoint.In experiments, four traces collected from different networks are used and different thresholds are selected. The experimental results show that our algorithm can detect the superpoints effectively and accurately.