am republishing the abstract for better clarity.....see it below....
Statistical Techniques for Detecting Traffic Anomalies through Packet Header Data
In this paper we detect the traffic anomalies by monitoring the header data. Some attacks like denial of service led to develop the techniques for identifying the network traffic. If we have the efficient analysis tool we could prevent the network from the traffic before it could get attacked. We can analyze the network traffic with the help of, correlation of the destination IP address in the egress router. The address correlations are data transformed using the discrete wavelet transform for detecting the traffic anomalies. Results from trace-driven evaluation suggest that proposed approach could provide an effective means of detecting anomalies close to the source. We also present a multidimensional indicator using the correlation of port numbers and the number of flows as a means of detecting anomalies.
There is no well established existing system to prevent the network traffic. Many approaches have been studied to detect, prevent and mitigate malicious network traffic. For example, rule-based approaches, such as IDS (intrusion detection system), try to apply previously established rules against incoming traffic to detect and identify potential DoS attacks close to the victimâ„¢s network. To cope with novel attacks, however, IDS tools such as Snort  require to be updated with the latest rules. This paper looks at the problem of designing generalized measurement based real-time detection mechanisms. Measurement-based studies have considered traffic volume , , , number of flows  as potential signals that can be analyzed in order to detect anomalies in network traffic, while we further treat the traffic headers such as addresses and port numbers. Work in  relies on input data from multiple sources (i.e., all links in a network), while our work focuses on a single link at a time. Earlier studies have considerably motivated our current study. Our study builds on this earlier work and extends the statistical analysis of traffic data further in analyzing other packet header data, such as addresses and port numbers in real-time. And so we are developing this statically analysis for detecting the traffic anomalies.
In this project we are going to detect the anomalies using the following three techniques.
Traffic Analysis at the Source
General mechanism of detector.
Traffic Analysis at the Source:
We focus on analyzing the traffic at an egress router. Monitoring traffic at a source network enables early detection of attacks, to control hijacking of AD (administrative domain, e.g., campus) machines, and to limit the squandering of resources.
There are two kinds of filtering based on traffic controlling point. Ingress filtering protects the flow of traffic entering into an internal network under administrative control. Ingress filtering is typically performed through firewall or IDS rules to control inbound traffic originated from the public Internet. On the other hand, egress filtering controls the flow of traffic leaving the administered network. Thus, internal machines are typically the origin of this outbound traffic in view of an egress filter. As a result, the filtering is performed at the campus edge. Outbound filtering has been advocated for limiting the possibility of address spoofing, i.e., to make sure
That source addresses correspond to the designated addresses for the campus. With such filtering in place, we can focus on destination addresses and port numbers of the outgoing traffic for analysis purposes.
General mechanism of detector:
The first step is a traffic parser, in which the correlation signal is generated from packet header traces or Net Flow records as input. The first step is a traffic parser, in which the correlation signal is generated from packet header traces or Net Flow records as input. Fields in the packet header, such as destination addresses and port numbers, and traffic volume depending on the nature of the traffic, can be used as a signal. By this way we generate the signal.
Second step is to transform the signal using the discrete wavelet transform DWT.
Analyzing discrete domains such as address spaces and port Numbers poses interesting problems for wavelet analysis. We employ the correlation in different domains to generate the suitable signal for analysis.
Finally we use the technique of finding the attack or the anomalies. This is done with the help of setting the threshold. And we are comparing the result with the historical data .and the anomalies are detected using the statically analysis. We report on our results employing correlation of destination addresses, port numbers and the distribution of the number of flows as monitored traffic signals.
To verify the validity of our approach, we run our algorithm on four traces of network traffic. First, we examine our method on traces from the University of Southern California that contain real network attacks. Second, to inspect the performance of our detector on backbone links, we examine the mechanism on KREONet2 traces, which include over 230 organizations, from July 21, 2003, to July 28, 2003, that contain real worm attacks . In the trace employed, there were three major attacks and a few instantaneous probe attacks, which were judged by various forensic traffic analyses in advance. Third, to compare our method with Snort, we exploit a live network in Texas A&M University. Fourth, to evaluate the sensitivity of our detectorâ„¢s performance over attacks of various configurations, we employ the attack-free traces from the NLANR (National Laboratory for Applied Network Research), which are later superimposed with simulated virtual attacks.
1. We can prevent the traffic in the incoming and outgoing router itself.
2. We could obtain the accurate result as we are using the following technique.
3. The entire file upload are maintained in the log for the feature use.
4. The processing time taken to process the traffic is also minimized.
5. As the transfer of the file is logged we can easily identify the attacker.
1. This is widely used in the intranet process such as university and local workgroups.
2. This can be applied in the internet as well.
Â¢ SYSTEM : Pentium IV 2.4 GHz
Â¢ HARD DISK : 40 GB
Â¢ FLOPPY DRIVE : 1.44 MB
Â¢ MONITOR : 15 VGA colour
Â¢ MOUSE : Logitech.
Â¢ RAM : 256 MB
Â¢ KEYBOARD : 110 keys enhanced.
Â¢ Operating system :- Windows XP Professional
Â¢ Front End :- Microsoft Visual Studio .Net 2005
Â¢ Coding Language :- ASP.NET 2.0, C# 2.0
Â¢ Database :- SQL SERVER 2000
 A. Ramanathan, WADeS: A tool for distributed denial of service attack detection M.S. thesis, TAMU-ECE-2002-02, Aug. 2002.
 NLANR measurement and operations analysis team, NLANR Network Traffic Packet Header Traces, Aug. 2002 [Online]. Available: http:// http://www.pma.nlanr.net/Traces/
 P. Barford et al., A signal analysis of network traffic anomalies, in ACM SIGCOMM Internet Measurement Workshop, Nov. 2002.
 T. M. Gil and M. Poletto, MULTOPS: A data-structure for bandwidth attack detection, in USENIX Security Symp., Aug. 2001.
 J. Mirkovic, G. Prier, and P. Reiher, Attacking DDoS at the source, in IEEE Int. Conf. Network Protocols, Nov. 2002.
1. Controlling high bandwidth aggregates in the network.
2. New directions in traffic measurement.
3. Wavelet Methods for Time Series analysis.
4. A network traffic flow reporting and visualization.
5. Diagnosing network-wide traffic anomalies.