search menu icon-carat-right cmu-wordmark

Identifying Anomalous Network Traffic Through the Use of Client Port Distribution

White Paper
In this paper, Josh Goldfarb introduces an approach to IP flow analysis that examines server ports and client ports that exchange flows with them.

Software Engineering Institute


This particular approach to IP flow analysis examines server ports (0 to 1023) and the client ports that exchange flows with those server ports. This analysis operates under the assumption that for each server port, the number of flows from each port chosen by client machines should be relatively uniform. In other words, similar numbers of flows from each of the chosen client ports to a given server port are expected. If a large deviation from the norm is observed, that traffic is considered to be of interest and is flagged for further analysis. US-CERT has tested this analysis technique on a large, enterprise network with a large amount of network flow data. Details of this method of analysis are discussed in the next section of this paper.

Part of a Collection

FloCon 2006 Collection

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.