Fast TCP Flood Detector (FTFD)

Author

Cejka, Tomas, Ing. <tomas.cejka(AT)fit.cvut.cz>

Supervisor

Blazek, Rudolf, Mgr., Ph.D. <rblazek(AT)fit.cvut.cz>

Date

9.3.2014

About FTFD

Fast TCP Flood Detector (FTFD) is a program for anomaly detection. It can be used for detection of abrupt change of statistical distribution of specific packets in network traffic. The program can process traffic from network interface controller of from file with stored network traffic in PCAP format.

FTFD is based on computation of ratio of TCP packet counts as in [1]. FTFD computes ratios of packets with SYN, FIN, and ACK TCP flags. Ratio of counts is used as an input of a detection algorithm. The program was tested with Non-Parametric Cumulative Sum (NP-CUSUM) detection method, described in [2]. NP-CUSUM is used for detection of abrupt change of statistical distribution of observed random variable.

Source Package

Dependencies

FTFD depends on libPCAP and libcpd libraries. LibPCAP is required and it is used for receiving of input data from network interface controller or from PCAP file. LibPCAP can be found on tcpdump website.

Libcpd is a library, developed in cooperation with CESNET, a.l.e., that contains implementation of various Change-Point Detection methods. The library is still under development and was used for anomaly detection in FTFD. The library contains the implementation of Non-Parametric Cumulative Sum (NP-CUSUM) [2]. In case of interest about libcpd, please contact the author: Tomas Cejka.

Installation

Installation can be done by standard commands:

./bootstrap.sh; ./configure && make && make install;

The process of compilation and installation can be configured by various parameters. See generated configure help by:

./configure --help

Program Parameters

-d|--dump=<pcap-dump filepath>Store traffic into PCAP file
-f|--file=<input filepath>Get input traffic from PCAP file
-h|--helpShow help
-o|--output=<output filepath> Store output ratios into file
-n|--number=<fixed number of packets>Count ratio after every n packets
-s|--source=any|eth0|...Get input traffic from NIC
-t|--timeout=<seconds>Count ratio ever n seconds
When compiled with libcpd:
-T|--train (train mode)Try to optimize parameters of NP-CUSUM
-c|--cpdparams "normest:attaest:tunning:threshold"Set parameters of NP-CUSUM

Licence

All source codes can be freely shared under GNU GPLv3.

References

[1] H. Wang, D. Zhang, and K. Shin, "Detecting syn flooding attacks," in INFOCOM 2002. Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE, vol. 3, 2002, pp. 1530–1539.
[2] A. G. Tartakovsky, B. L. Rozovskii, R. Bla┼żek, and H. Kim, "A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods," IEEE TRANSACTIONS ON SIGNAL PROCESSING, vol. 54, no. 9, pp. 3372–3382, 2006.