Identifying Anomalous Network Traffic Through the Use of Client Port Distribution
This particular approach to IP flow analysis examines server ports (0 to 1023) and the client ports that exchange flows with those server ports. This analysis operates under the assumption that for each server port, the number of flows from each port chosen by client machines should be relatively uniform. In other words, similar numbers of flows from each of the chosen client ports to a given server port are expected. If a large deviation from the norm is observed, that traffic is considered to be of interest and is flagged for further analysis. US-CERT has tested this analysis technique on a large, enterprise network with a large amount of network flow data. Details of this method of analysis are discussed in the next section of this paper.