Detection and Classification of TCP/IP Network Services

K. Tan & B. Collie

Computer intruders are employing more sophisticated techniques to compromise computer systems. Once compromised, in most cases, intruders install remote terminal software to ensure continued, undetectable access to the victim site bypassing standard system audit and security features.

Detection of this type of intruder activity posed a problem for investigators during a computer intrusion investigation that was recently prosecuted in Australia. With the increase in the availability of this type of software to intruders, it's installation poses a significant problem to both the detection of, and monitoring of an intruder's activities.

This paper discusses an approach to the analysis of network traffic to detect the presence of unauthorised and anomalous network services. The aim of the project is the development of a network connection signature for common network services, therefore allowing connection type recognition independent of the port information. The specific service signatures can then be used to correlate port information with observed connection types facilitating the detection of anomalous and unauthorised network connections.

The detection of any anomalous connections may indicate the presence of unauthorised modifications to the remote host or the installation of illicit remote terminal software on that system.

A modified neural network was used to analyse the network traffic captured for the experiment. Apart from it's learning and generalisation properties, the neural network engine lends the application the ability to adapt to the different network environments on which the software may be employed.