Question about inter arrival flow times.

Agents Fel Cvut sebastian.garcia at agents.fel.cvut.cz
Thu Aug 15 10:20:07 EDT 2013 

Hi list.

I'm working right now on a machine learning method to detect the
botnet behavior on the network.
I was trying to find out if it is possible to extract a metric that I
will call "inter flow arrival time". I need to have the same
information as in the inter packet arrival times, but for flows.

The idea is that when you group flows using racluster, I can't know
how were the flows 'distributed' over time.

Let me show you an example of what I need:

Imagine that you have these unidirectional flows:

StartTime                  Dur      RunTime  Proto SrcAddr Sport
Dir DstAddr Dport   State Tos TotPkts   TotBytes    Trans   Mean
StdDev   Rate
2011/08/17 12:30:09.866165 0.048681 0.048681 tcp x.x.x.x 1027 ->
y.y.y.y 80 sER 0 4 629 1 0.048681 0.000000 61.625688
2011/08/17 12:30:09.873948 0.032258 0.032258 tcp x.x.x.x 1027 <-
y.y.y.y 80 SEC 0 3 253 1 0.032258 0.000000 62.000124
2011/08/17 15:50:40.572955 0.016209 0.016209 tcp x.x.x.x 2597 ->
y.y.y.y 80 sER 0 3 182 1 0.016209 0.000000 123.388236
2011/08/17 15:50:40.588790 0.000000 0.000000 tcp y.y.y.y 80 -> x.x.x.x
2597 S   0 1 62  1 0.000000 0.000000 0.000000
2011/08/17 16:19:57.888519 1.951620 1.951620 tcp x.x.x.x 1795 ->
y.y.y.y 80 sER 0 5 675 1 1.951620 0.000000 2.049579
2011/08/17 16:19:57.896315 0.009000 0.009000 tcp x.x.x.x 1795 <-
y.y.y.y 80 SEC 0 3 308 1 0.009000 0.000000 222.222232

You can see 6 flows and you know the inter arrival flow time because
you can compute it from the start time.


You can also use bidirectional flows and you will have these flows:

StartTime                  Dur      RunTime Proto SrcAddr Sport    Dir
DstAddr   Dport  State SrcJitter DstJitter Tos TotPkts TotBytes Trans
Mean     Stddev Rate   SIntPkt SIntDist SIntPktAc SIntActDi SIntPIdl
SIntIdlDist
2011/08/17 12:30:09.866165 0.048681 0.048681 tcp x.x.x.x 1027 ->
y.y.y.y 80 sSER 17.219834 7.567 0   7     882   1  0.048681 0
123.251 16.227  0     16.227    16.129    0        16.129
2011/08/17 15:50:40.572955 0.016209 0.016209 tcp x.x.x.x 2597 ->
y.y.y.y 80 sSER 7.9475    0     0   4     244   1  0.016209 0
185.082 8.1045  0     8.1045    8.10      0        0
2011/08/17 16:19:57.888519 1.951620 1.951620 tcp x.x.x.x 1795 ->
y.y.y.y 80 sSER 733.31775 4.204 0   8     983   1  1.95162  0
3.58676 487.905 0     487.905   4.5       0        4.5

You can see 3 bidirectional flows. Now you still can compute the inter
flow arrival time using the start time. In this case the inter flow
arrival time should be:
Between flow 1 and 2: 12,030.71 seconds
Between flow 2 and 3: 1,757.32  seconds

However, if you use racluster to group together the flows, you will get

StartTime                           Dur        RunTime Pro SrcAddr
Sport Dir DstAddr Dport     State SrcJit DstJi Tos TotP TotBy Tr Mean
 StdDev Rate   SIntPkt SIntD SIntPA SIntActD SIntPI SIntID
2011/08/17 12:30:09.866165 13789.973* 2.01651 tcp x.x.x.x 0 -> y.y.y.y
80 sSER 542.97 8.442 0   19   2109  3  0.6721 0.9048 0.0013 224.056 0
   224.05 10.314   0      10.314

But now, there is no way to find out the 'inter flow arrival time'
from this information.
All the 'jitter' metrics are also related to the inter packet arrival time only.

Do you know if I can compute this 'inter flow arrival time' from the
racluster output? Do you think it could be a good measurement to add?
BTW I'm using argus clients 3.0.7.7 and argus 3.0.6.1

Thanks a lot for your time
sebas

More information about the argus mailing list