Cejka, Tomas, Ing. <tomas.cejka(AT)fit.cvut.cz>
Blazek, Rudolf, Mgr., Ph.D. <rblazek(AT)fit.cvut.cz>
Fast TCP Flood Detector (FTFD) is a program for anomaly detection. It can be used for detection of abrupt change of statistical distribution of specific packets in network traffic. The program can process traffic from network interface controller of from file with stored network traffic in PCAP format.
FTFD is based on computation of ratio of TCP packet counts as in . FTFD computes ratios of packets with SYN, FIN, and ACK TCP flags. Ratio of counts is used as an input of a detection algorithm. The program was tested with Non-Parametric Cumulative Sum (NP-CUSUM) detection method, described in . NP-CUSUM is used for detection of abrupt change of statistical distribution of observed random variable.
FTFD depends on libPCAP and libcpd libraries. LibPCAP is required and it is used for receiving of input data from network interface controller or from PCAP file. LibPCAP can be found on tcpdump website. >
Libcpd is a library, developed in cooperation with CESNET, a.l.e., that contains implementation of various Change-Point Detection methods. The library is still under development and was used for anomaly detection in FTFD. The library contains the implementation of Non-Parametric Cumulative Sum (NP-CUSUM) . In case of interest about libcpd, please contact the author: Tomas Cejka.
Installation can be done by standard commands:
./bootstrap.sh; ./configure && make && make install;
The process of compilation and installation can be configured by various parameters. See generated configure help by:
|-d|--dump=<pcap-dump filepath>||Store traffic into PCAP file|
|-f|--file=<input filepath>||Get input traffic from PCAP file|
|-o|--output=<output filepath>||Store output ratios into file|
|-n|--number=<fixed number of packets>||Count ratio after every n packets|
|-s|--source=any|eth0|...||Get input traffic from NIC|
|-t|--timeout=<seconds>||Count ratio ever n seconds|
|-T|--train (train mode)||Try to optimize parameters of NP-CUSUM|
|-c|--cpdparams "normest:attaest:tunning:threshold"||Set parameters of NP-CUSUM|
All source codes can be freely shared under GNU GPLv3.