1
I've written some anomaly detection program that recognize abnormal traffic on system, but it sometimes detect normal download or upload traffic as abnormal. Is there any way to check if a download or upload now is in process or not to reduce this false positive?
Mjina
Posted 2014-10-15T05:59:38.637
Reputation: 123
2
The best answer i can think of and it will require some input from you in order to work with the data is nethogs!
Install nethogs (should be in repo)
And it will work like this :
nethogs
nethogs eth1
nethogs [option] eth0 eth1
nethogs [option] eth0 eth1 ppp0
sudo /usr/sbin/nethogs eth0
You will end up with something like this :
With this you will be able to identify the procID which is using the most upload and download..
You can also identify all of the nics and see them listed as one with identifying network controller :
The next step is where im not sure... You might need to create some parser of the info, setup a cron and feed it into your abnormal trafic analyzer.
Sorry its not a complete solution but its the only idea I have right now!
Pogrindis
Posted 2014-10-15T05:59:38.637
Reputation: 149
is it possible to run it remotely on a system? I've didn't find this possibility in it's man page. – Mjina – 2014-10-20T14:12:12.493
1http://askubuntu.com/questions/257263/how-to-display-network-traffic-in-terminal try this might help – Premkumar – 2014-10-15T06:20:03.123
Can you show us some of how you have approached it? – Pogrindis – 2014-10-15T07:23:58.933
@Pogrindis :I've used knn algorithm for data that contain 3 parameters: cpu, (network traffic)transmitted bytes and receieved bytes – Mjina – 2014-10-15T08:00:59.067
@Mjina and what is your definition of abnormal traffic? could you identify the procID runtime of the download / upload process ? – Pogrindis – 2014-10-15T08:03:09.617
@Pogrindis:I use knn as a machine learning method, so it will be trained with normal data and abnormal data, and then is expected to detect abnormal, the problem is that download and upload sometimes are so fast that resemble an attack like DoS which rise the traffic rates. your second question is just what I'm looking for, how to identify the process which is downloading/uploading?! – Mjina – 2014-10-15T08:11:52.140