See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/318921755

Internet Traffic Monitoring Anomalous Behavior Detection

Conference Paper · March 2011

CITATIONS READS
0 54

3 authors, including:

Gyan Prakash
Vee Eee Technologies Solution Pvt Ltd
11 PUBLICATIONS   27 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Spiral Search Engine View project

Food Distribution and Management System Using Biometric Technique (Fdms) View project

All content following this page was uploaded by Gyan Prakash on 05 August 2017.

The user has requested enhancement of the downloaded file.

INTERNET TRAFFICMONITORING example observations may review the effects of
event such as a network failure and operational
FOR ANOMALOUS BEHAVIOUR failure or a security incident on network traffic.
DETECTION:- There are several other uses of network
monitoring equal in Quos estimation
ABSTRACT:- bandwidth planning etc but in routine network
monitoring the interest on events. if there are
As the internet continues grow in size and
not event of interest network manage will
complexity the challenge of effectively provisioning
managing and securing it has become inextricability probably not want to ”Look” at the traffic .the
line to a deep understanding of internet traffic. traffic data such cases is destined for archiving
Although there has been sufficient process in from here it would probably be backed up on
instrumenting data collection system for high off line media or disconnected .
speed network at the core of the internet
developing a comprehensive understanding of Present monitoring system don’t have
collected data remains a daunting task . This is due mechanism or detecting event of interest .so it
to the vast quantities of data and the wide diversity appears that operator will either at will the
of end host application and services found in traffic mechanically .we use data event from
internet traffic. wide area network examine the utility and
effectiveness of approach. The process of
Recent spates of cyber attacks and frequent
mechanical event detection heavily
emergence application affecting internet traffic.
Dynamics have made it imperative to develop Depend on the availability and accuracy of data
effective techniques that can extract and make
but in standard monitoring environment there
sense of significant communication patterns from
is life guarantee for these two factors .to erase
internet traffic data for use network operation and
the availability and accuracy of the data we
security management. In this pattern we present
general methodology for building comprehensive purpose the deployment of multiline data
behavior profiles of internet backbone traffic in collectors at geographically and network.
terms of communication patterns of end –hosts Topologically separated points .we has carried
services. relying on data mining and entry-based out experiment on wide area network and
techniques ,the methodology consist of significant have existing the combined how the quality of
cluster extraction ,automatic behaviors the data can be raid
classification and structural modeling for in
depth interpretive analysis. Availability and accuracy of that can be
increased using the collection of redundancy.
CHAPTER-1
In this paper we present a general methodology
INTRODUCTION ABOUT IN PAPER:- for building comprehensive behavior profiles of
internet backbone traffic in terms of
Network traffic monitoring is important aspects
communication patterns of end –host and
of network management and securing .for
services. Relying on mining and entropy based
techniques, the methodology consists of methodology using due set from core of the
automatic behavior analysis .we validate the internet.
methodology using due set from core of the
internet. CHAPTER -2

LITERATURE REVIEWS:- SYSTEM STUDY:-

Recent spates of cyber attacks and frequent The system study phase analyze the problem of
emergence or applications and affecting existing systems defines the objective to be
internet traffic dynamics made it imperative to attained by solution and evaluates various of
solution alternatives.
develop effective techniques that can extract
and make sense of significant communication EXISTING SYSTEM:-
patterns from internet traffic data for use in
network operation and security management. Recent spates of cyber attacks emergence of
applications affecting internet traffic dynamics have
The process of mechanical event detection made imperative to develop effective techniques
heavily depend on the availability and accuracy that can make sense of significant communication
of data but in standard monitoring patterns from internet traffic data for use in
environment there is life guarantee for these network operation and security management
two factors .to erase the availability and .network monitoring is alone performed using many
accuracy of the data we purpose the tool like snort .many web portals establishing
without data mining technique will need to serious
deployment of multiline data collectors at
problem while number of user increase.
geographically and network, topologically
separated points. We have carried out
experiment on wide area network and have
existing the combined how the quality of the
data can be raised. How the availability and
accuracy of that can be increased using the
collection of redundancy.

In this paper we present a general methodology

for building comprehensive behavior profiles of
internet backbone traffic in terms of
SIMPLE NETWORK MANAGEMENT PROTOCOL(SNMP)
communication patterns of end –host and
services. Relying on mining and entropy based
techniques, the methodology consists of
DISADVANTAGE OF EXISTING SYSTEM:-
automatic behavior analysis .we validate the
methodology using due set from and entropy As the internet continues grow in size and
based techniques, the methodology consists of complexity the challenge of effecting provisioning,
automatic behavior analysis .we validate the managing and security. It has be inextricably liked
to deep understanding of internet traffic .although to all the remaining clusters to find out anomaly
there has been significant progress in instrumenting behavior .
data collection for high speed network all the core
of the internet, developing a comprehensive ADVNATAGE OF PROPOSED SYSTEM:-
understanding of the collected data remains a
The methodology for profiling internet backbone
daunting task this is due to the vast techniques of
traffic that 1) not only automatically but 2)
data and wide diversity of end hosts, applications
discovers significant behaviors of interest from
and services found in internet traffic.
massive traffic data but 3) also provides a possible
There is processing need for techniques that can interpretation of these behaviors and quickly
extract underlying structures and significant identifying anomalous events with a significant
communication patterns from internet traffic data amount of traffic . e.g. Large scale scanning
for use in network operation s and security activities worm outbreaks and denial of service of
management. tasks.

PURPOSED SYSTEMS:- PROBLEM DEFINITION:-

in this purposed systems we use packet header Recent monitoring systems don’t have
tracker collected on internet backbone links in fire mechanism of detecting events of interest .so it
–ISP what are aggregated into flow based on the appears that the operator will either look at all
well known the source IP address source port the traffic to detect events of internet or will not
,destination port and protocol fields. Since our goal look at the traffic all in our work we attempt to
is to traffic in terms of communication patter ns we mechanically detect event of interest and draw
start with the essential four dimension feature operator attention to these events .we use data
space. from wide area network to examine the utility and
effectiveness of the approach. But in standard
Using four dimensional feature space we extract monitoring environment there is little guarantee for
clusters of significance along each dimensions these two factors. To raise the availability and
where each cluster consists of flows with the same accuracy of the data in purpose the deployment of
feature value in said dimension .this leads to four multiple data collections at geographically and
collection of interesting clusters. network topologically separated point.
The first two represent a collection of host
CHAPTER-3 :-
behaviors while the last two represent collection
of service behavior .in extracting cluster
SYSTEM ANALYSIS:-
significance instead uses a fixed threshold based
on volume adopt an entropy based approach that The analysis of a problem that will try to solve with
cells interesting illustrates based on underlying an information system .it describes what a system
feature value distribution in the fixed dimension should do?
.imitatively clusters with feature value that are
distinct in terms of distribution are considered PACKAGE SELECTED:-
significant and extracted the process is repeated
The package selected to develop the project JDk required design, develop, implement and
1.5 and win cap tool. the selected package have test. The project, the resource to analyze is
more advanced feature .as the system is to be employees’ time and SRS. Teams of
develop in networking domain .we had preferred three members are involved in the entire
java2 standard edition .the supports all class SDLC. Lifecycle except the testing phase .the
libraries. Window XP with all features is selected as testing phase guided by manual tester
the development (operating system) area to install before the hosting the application in the
and develop the system in java platform. server space.
Time analyzed to complete this project
Window XP with professional offers a no. of approximately two months with 4hrson
features unavailable in the home edition including: daily basis except week ends .SRS is
• The ability to become part of windows prepared and provided as per the URS.
server domain a group of computers that FEASIABILTY STUDY:
are remotely managed by one or more The feasibility determine whether the
central servers. solution is achievable, given the
• Remote desktop server which allows a PC to organization resources constraints by
be operated by another window XP user performing feasibility study the scope of the
over a local area network or internet. system will defined completely.
• Offline file and folders which allow to PC to Most computers systems are develop to satisfy is
automatically store a copy of files from known user requirement this means that the first
another network computer and work with event in the life cycle of system is usually task of
while disconnect from network. studying whether it is feasible to computerize a
• Centralized administration features, system under consideration or not. Once the
including group, policies, automatic decision is made report is forwarded and is known
software installation and maintains room as feasibility report. The feasibility is studied under
user profiles and remote installation the three contexts.
services (RIS).
• Internet information services (IIS), a) Technical feasibility
Microsoft HTTP and FTP server. b) Economic feasibility
• Support for two physical central processing c) Operational feasibility
units (CPU). A) TECHNICAL FEASIBLITY:-
• Windows management instrumentation What resources are available for given
control (WMIC) .WMIC is a command line developer system? Is the problem worth
tool designed to parse WMI information solving? in proposed system technical
retrieval about system by using Keyword feasibility centre on the existing computer
(aliases). system and what extent it can support the
RESOURCE REQUIRED:- purposed system .therefore now we need
Planning and analyzes the resources is also to install the software existing system for
one of the major part of the SDLC to this project and operation of this system
complete he has given time. In this we need requires knowledge about window XP
analyze the availability of resources that are
 window professional ellipse and JDK 1.3, • Analyze the anomaly packets.
the assistance would be easily available. The main problem developing a new
Even though these technical requirements system is getting acceptance and the
are needed to implementing system code is co operation from the users are
generated and compiled. The executable reluctant to operate on a new system
code of project is sufficient to application .the software being developed is more
hence the proposed system is feasible. interactive with the developing
B) ECHONOMICAL FEASIBLITY:- system .it is instantaneous , moreover
Economic feasibility is used for evaluating even a new period can operation, the
the effectiveness of a candidate system .the system and easily execute the system.
procedure to determine the cost So it is operationally feasible.
benefits/saving that are accepted from a
candidate system and compare with the
cost. If the cost is less and benefit is high
then decision made to design and
implement. The system regarding the
maintains, since the source code will be
with company and small necessary changes
can be done with minimum maintains cost
involve in it. The organization has to spend
amount of technology as it is not
computerized the present system
performance is high when compared to the
previous system. So for the organization the
cost factor is acceptable so it is
economically feasible.
If installed will certainly beneficial since the User network diagram
will be reduction in manual work and
increase in the speed of work there by
increasing the profit of company and saving
time. As the purposed system as JPCAP is
free download tool since the system is
economically feasible.
CHAPTER-4
C) OPERATIONAL FEASIBLITY:-
SYSTEM DESIGN:
Network traffic profiling and monitoring
system is many developed to monitor the In this design phase of SDLC both logical and
made is network this is done by using JPCAP physical design specification for the system solution
tool .the system should include feature like are produced modules are:
• Extract the parameter from the client
network. 1) METWORK DESCRIPTION
• Monitor the parameter in the list view 2) PACKET ANALYSIS
3) PACKET ANALYSIS
4) GRAPHICAL INTERFACE data can be transmitted at host
Module description:- speed.
Network Monitor Packet Capture: • make s security transparent to end
This feature provides the faculty of capture –users
network packet. This packet will be parsed Because packet filters work at the level of
and the packet header detail will be listed in the network router, filtering is transparent
table the packet can be stored in serialized to end user that makes uses client
formats. This packet can be store in file application much easier.
retrieved later for viewing and analysis. DISADVANTAGE:-
When packet come up with a new for • leave data susceptible to exposure:-
creating network if often takes security With packet filter user connect directly
community a while determine the method network to network. Direct connection
used .in aircraft‘s black box is used to leave data susceptible to exposure such as a
analyze the default of a crash .we believe a user address from the data stream network
similar capability is needed for network. security can be compromised.
Being able to quickly learn how attack work • offer little flexibility
can will shorten the effective useful lifetime Creating complex access rates with packet
of the attack. file can be different with segments local
PACKET FILTERING:- area network to configure rule set for user
The captured packet can be filtered to with different access privileges.
display according to the packet type the • maintain no state related
packet can be filtered by protocol type communication
TCP(transmission control protocol Packet filter make decision based on
),ARP(address resolution individual packet and not on the “context”
protocol),UDP(user datagram of the traffic this will not provide good
protocol),ICMP(internet control message security as can be seen from the ex. In case
protocol) and IGMP(internet group of packet filter either we need to open all
management protocol). ports greater than some number (1023) or
ADVANTAGE: else the FTP will fail.
• easy to install • offers no user base authentication
Packet filter make use of current Packet filters are restricted to design or
network router therefore granting access based on source or
implementing a packet filter destination address ports. There is no way
security system is typically thus for packet filter to authentication
network security software. information community from specific user.
• support high speed
• With simple network configuration, PACKET ANALYSIS:-
packet filter can be fast since there
is direction connection between The detailed packet information is displaced
internal user-end external hosts below:
 • Build customized capture and J2se platform has been developed under the
display filters java umbrella &primarily used for writing applets
• Tap into local network &other java based applications .It is mostly used
communication for individual computers .Applet is type of fast
• Graph traffic network pattern to working subroutine of java that is independent
visualize the data flowing platform but work within other frame works .It
across your network. is minimum application that performs a variety
• Build states and report to help you of functions large &small ordering &dynamic
better explain technical within framework of larger application.
network information to
non-technical users.
J2SE provides the facility to user to see flash
GRAPHICAL INTERFACE:- moves or hear audio files by clicking on web
A graphical interface (GUI) is type of user page link. As the user clicks pages goes into the
interface which allows people to internet browser environment &begins the process of
with electronics device such as computers. launching application-within an application to
hand held devices such as MP3 players play requested video or sound application. So
portable media players or gaming devices many online games are being developed on
household application and office J2SE.java Beans can also developed by using
equipment .a GUI offers graphical icons j2SE.
and visual indicators as opposed to text
based interfaces type command labels or About Swing Design:-
text navigation to fully represent the
Project swing is the part of the java function
information and action available to user.
classes (JFC)s/w that implements a set of GUI
The action is usually performed through
components with pluggable look &feel. Project
direct manipulation of the
swing is implemented entirely in the java
graphical interface.
program language & is based on the JDK 1.1
We have implemented an easy to use
lightweight via framework.
window build graphics user
interface. The pluggable look & feel lets you design a
single set GVI components that can
Special Feature of Language Utility automatically have look & feel of any OS
platform (ms Window, Solaris,& MAC into)
Introduction to java:-
Project swing component is include both 100%
J2se is collection of java programs API (Application pure java certified versions of the existing
programming interface) that is very useful l many AWT components set (Button ,Scrollbar ,List,
java platform programs. It is derived from one of Table ,checkbox Textfield, Textarea)
the most programming language known as a
“java”&one of the three basic edition of java Plus a rich set of higher level components
known as java standard edition bring used for (such as tree, view, list box & tabbed panes)
writing applet &other web based applications. ABOUT JCAP TOOL:-
JCAP is open source library for it Schedulers and personal firewalls.
Capturing and sending network packet from
java application.
Provides facilities to:
*Capture row packet live from the wire. Improved Performance:-
• Save captured packet to an
The performance of both client & server application
offline file read
have been significantly improved in J2SE 5.0.
capture packet
from the offline fail. Monitoring and manageability:-
• Automatically (for Ethernet,
IPV4, IPV6, J2SE 5.0 bring s advanced monitoring and
ARP/RARP, TCP, manageability framework into the java virtual
UDP and ICMPV4. machine for java platform (JVM).you can use your
• Send raw packet to the exiting management consoles with industry
network JCAP is based on libpcap/Win cap standard JMX &SNMP protocols to monitor a JVM
is implemented in c and java. JCAP has &even detect low memory conditions. The JDK
been tested on Microsoft windows release provides demo called Jconsole. If lets you
(98\2001XP\vista\LINUX (fedora, udanta), evaluate the benefits in the monitoring the JVM and
Mac OS X (drawing. Free BSP and Solaris. see how can exceed your availability matrices.
Kinds of application to be developed
using JCAP .JCAP can be used to develop
New Look and Fell:-
Many kinds of network application are The java platform contains already pluggable look
including: and fell frame work the addition of the new ocean
a) Network and protocol analyzes look and fell enables cross platform application to
b) Traffic triggers. switch between ocean and native operating system
c) Traffic generators look and fell without the need to rebuild or
d) User level bridge and router recompile them.
e) Network scanners
f) Security tools. Reduced Startup Time:-
WHAT JCAP CANN’T DO?
You haven’t started a desktop java application in
JPCAP captures and sends packet
the last few years .you may be in for a pleasant
independency from the host protocol.
surprise. The introduction of class (in combination
This means
without streamline option) has been saved nearly
The JPCAP doesn’t block filter or
30% off the startup time for some application.
manipulate the traffic generated by other
programs
Great 64-bit Performance:-
On the same machine. It simply “shift”
the packet that transit on the wire The J@SE 5.0 64 bit JVM delivered record results
therefore with AMD64/operation CPU and SUSE LINUX
If doesn’t provide appropriate support for enterprise edition 8.0, SLES 8.0 . in addition the 32
application like traffic shaper Quos bit version of JRE can run side by side under the
same 64 -bit OS for use with exiting 32 –bit web A network interface object contains some
browsers. information about corresponding network interface
such as its name description, IP & MAC addresses
Performance ergonomics:- and data link and description.

The JVM is none self configuring and self tuning on Open Network Interface:-
server classes machines .a server class machine with
two more CPU and at least 2GB of memory. The After obtaining the list of network interfaces and
server based performance ergonomics kicked in by choose .which network interface to picture packet
right sizing both the memory required and class of from interface by using JPCaptor.openDvice ()
optimizations needed for longer lived applications. method. The following piece of code illustrates how
This has resulted in 80% improvement on one to open network interface
application server benchmark without changing line
of code or supplying any runtime options. Capture Packet from the Network
Interface:-
Reduced Development Time:-
After obtaining the instance of JPCaptor, you can
Integrated development (IDEs) have tried to make capture packet from the interface there is major
developers little easier with auto completion & approaches to capture packet using a JPcaptor
wizards for common tasks J2SE 5.0 new language instance using callback method and capturing
feature for further streamline development packet one by one.
whether you use an IDE or hand code in a text
editor. Then call either JPcaptor.processPacket () or
JPcaptor.openPacket () method to start capturing
Reduced Need for Developer Coding:- using the callback method. When calling process
packet () or loop packet () method also specify the
Many for java language changes reduce the number of packet to capture before the methods
amount t of code a developer has to write .the
returns.
following figure quantifies the reduction in
comparison to J2SEs 1.4.2 . to take real life Then specify -1 to continue capturing packets
example one open source application server uses infinitely .the two methods for callback
over 2,00 iterant by substituting the new .ProcessPacket () and LoopPacket () are very similar.
enhanced for loop .the code work would be Usually might want to use ProcessPacket () because
reduced by up to 4,000 characters. it supports timeout and non blocking mode, while
Packet ().does not.
Obtain the List of Network Interfaces:-
Capturing Packet One by One:-
To capture packets from a network ,the first thing
you have to do list to obtain the list of network Using callback method is little key bit tricky because
interfaces on your machine .to do so JPCAP you don’t know when the callback method is called
provides JPCaptor.getDeviceList() method .it returns JPCAP. if you don’t want to use callback method
an array of network interface objects. also capture packets using the
JPcaptorCaptor.getpacket()method simple returns a
captured packet have to callget.packget() method Introduction to Eclipse Tool:-
multiple times to capture consecutive packets.
Eclipse is an extensible open source IDE (Integrated
Set Capturing Filter:- development environment).the project was
originally launched in Nov 2001.when IBM donated
In JCAP set a filter so that JCAP doesn’t capture $40 million worth of source code from web sphere
wanted packet. The filter expression “IP and TCP”
studio workbench and formed the eclipse
keep only the packet that are both IPV4 and TCP consortium to manage the continued development
and deliver them to the application “.by properly
or the tool.
setting a filter and reduce the number of packet
examine and thus can improve the performance The state goals of eclipse are “to develop or robust
of your application. full featured commercial quality industry platform
for the development to highly integrated tools” to
Save Captured Packet into a File:- that end the eclipse consortium has been focused
on three major projects.
To save captured packet into a binary file so that
later review then using JPCAP or other application 1.the eclipse project is responsible for developing
.when supports reading to TCP dump format file. the eclipse IDE workbench the platform hosting
eclipse tools, the java development tools (JDT) and
To save captured packet first need to open a file by
plug In Development Environment(IDE) used to
calling JPcaptor .open file () method with an
extend the platform.
instance of JPcaptor which is used to capture
packets and string filename. After obtained an 2. The eclipse tools project is focused on creating
instance of JP captor through open file () method, to best of bread tools for the eclipse platform current
save capture packet using JPcaptor. Write packet () subprojects include a COBAL IDE a C/C++, IDE and
method .after saved all the packet to call JPcaptor EMF mo\deling tool.
writer. close () method to close the opened file.
3. The eclipse technology project focuses on
Read saved packet from file in JPCAP read the technology research in combination and education
packet saved using JPcap writer by opening the file using the eclipse platform.
using JP captor. Open file () method. Similar to
JPcaptor. Open Device () method JPcap captor. The eclipse platform when combined with IDE
Open files () method also returns an instance of offers many features you did not expect from a
JPcaptor classes. so use the same ways described in commercial quality IDE a syntax highlighting editor
capture packet from the network interface section ,incremental code compilation a thread aware
to read packet from the file. Send packet to the source level debugger class navigator a file project
network using JPCAPS it is need to obtain an manager interfaces to standard source control
instance of Jcapsender. Opendevice () or system such as CVS and clear case.
JPcaptor.getcap. sener () instance methods.
Eclipse also include a number of unique factors
After obtaining an instance of Jcapsender passes an such as a code refactoring ,automate code update
instance of packet class to JPcap sender .send installs(via the update manager),task list and
Packet () method. support for unit testing with joint and integration
with Jakarta build tool.
Despite large no. of standard features eclipse is
different from traditional IDEs is a number of
fundamental ways. Perhaps the most interesting
feature eclipse is that is completely platform and
language neutral .in addition to the electric mix of
languages supported by the eclipse consortium
(Java, C& C++). There are also projects underway to
add support for languages as diverse as python,
Eiffel & Ruby &C# to eclipse.

Platform-wise the eclipse consortium provides pre-

built binaries for windows, Linux, Solaris, HP-UX,
AIX, QNX and MAC OS XP. Much of the interest in
eclipse centre around the plug in architecture and
rich .APIs provided by the pug in development
,environment for extending eclipse adding support ARCHITECTRUAL DESIGN
for a new type of editor viewer programming
language is remarkably easy ,given the well
designed API and rich building blocks that eclipse
provides with hundred plug in development
project in progress ,industry giants like IBM,HP and
rational(just award by IBM) providing resources
and design heavy weight lake Erich gamma helping
to guide the process the future indeed looks bright
for eclipse

ARCHITECTURAL DESIGN:-
Architecture diagram shows the relationship
between different components of systems the
diagram is very important to understand the overall
concept of system.

RESULT:-
Test case are created manually in ms Excel
sheet for the bugs in each module
&validated again using waterfall model.
 other latency .we also discuss event detection
with these statics applying for network
management. We plan to study following as a
future work. We will estimate the accuracy of
detectors of indications of event .we shall also
evaluate the suitability of the traffic models to
detect the event .we shall investigate there are
of event classification .for example the
relationship between indices.

SUBMITTED:-
GYAN PRAKASH

(E-mail:prakashgyan90@yahoo.com)

MITHLESH KUMAR

(E-mail:-prabhatk02@gmail.com )

BRANCH:-CSSE

Vinayaka Missions University

CHAPTER:5
AARUPADAI VEEDU INSTITUTE OF
CONCLUSION:- TECHNOLOGY PAYANOOR, CHENNAI

in this paper ,we are introduce our monitoring TAMILNADU (INDIA)

and analysis activities about monitoring
activities .we shows our environment in the
local network about analysis activities we show
our monitoring items one is traffic volume and

View publication stats