Fast TCP Flood Detector (FTFD)

Author

Cejka, Tomas, Ing. <tomas.cejka(AT)fit.cvut.cz>

Supervisor

Blazek, Rudolf, Mgr., Ph.D. <rblazek(AT)fit.cvut.cz>

Date

9.3.2014

About FTFD

Fast TCP Flood Detector (FTFD) is a program for anomaly detection. It can be used for detection of abrupt change of statistical distribution of specific packets in network traffic. The program can process traffic from network interface controller of from file with stored network traffic in PCAP format.

FTFD is based on computation of ratio of TCP packet counts as in [1]. FTFD computes ratios of packets with SYN, FIN, and ACK TCP flags. Ratio of counts is used as an input of a detection algorithm. The program was tested with Non-Parametric Cumulative Sum (NP-CUSUM) detection method, described in [2]. NP-CUSUM is used for detection of abrupt change of statistical distribution of observed random variable.

Source Package

• ftfd-1.0.0.tar.gz

Dependencies

FTFD depends on libPCAP and libcpd libraries. LibPCAP is required and it is used for receiving of input data from network interface controller or from PCAP file. LibPCAP can be found on tcpdump website.

Libcpd is a library, developed in cooperation with CESNET, a.l.e., that contains implementation of various Change-Point Detection methods. The library is still under development and was used for anomaly detection in FTFD. The library contains the implementation of Non-Parametric Cumulative Sum (NP-CUSUM) [2]. In case of interest about libcpd, please contact the author: Tomas Cejka.

Installation

Installation can be done by standard commands:

./bootstrap.sh; ./configure && make && make install;

The process of compilation and installation can be configured by various parameters. See generated configure help by:

./configure --help

Program Parameters

Licence

All source codes can be freely shared under GNU GPLv3.

References