Research Article
Efficient Extraction of Network Event Types from NetFlows
Table 1
Distribution of communication data captured within a university network over selected, potentially malicious, classes.
| Event type | Severity | #IPs | #events | #flows |
| ssh cracking | 9 | 149 | 3412 | 291538 |
| ssh cracking response | 9 | 143 | 3406 | 287686 |
| port scan (in/out, tcp) | 7 | 996 | 17463 | 21732 |
| port scan (tcp) | 7 | 539 | 1486 | 125799 |
| port scan (vertical, tcp) | 7 | 4 | 6 | 1485 |
| dns tunnel-like behavior | 6 | 6 | 14 | 14 |
| dns tunnel-responses-like behavior | 6 | 4 | 6 | 6 |
| p2p-like behavior (tcp) | 6 | 238 | 1009 | 215333 |
| p2p-like behavior (udp) | 6 | 135 | 9156 | 886345 |
| p2p-responses-like behavior (tcp) | 6 | 32 | 742 | 250956 |
| p2p-responses-like behavior (udp) | 6 | 147 | 5424 | 985336 |
| data transfer (tcp) | 4 | 244 | 4639 | 108729 |
| data transfer (udp) | 4 | 94 | 793 | 26026 |
| icmp traffic | 4 | 1127 | 6370 | 93315 |
| scan-like behavior (horizontal, tcp) | 4 | 940 | 1165 | 11358 |
| scan-like behavior (horizontal, udp) | 4 | 1 | 10 | 2228 |
| scan-like behavior (vertical, tcp) | 4 | 6 | 37 | 29969 |
| scan-like behavior (vertical, udp) | 4 | 3 | 17 | 5700 |
| scan-responses-like behavior (horizontal, tcp) | 4 | 300 | 3742 | 5489 |
| scan-responses-like behavior (horizontal, udp) | 4 | 0 | 0 | 0 |
| scan-responses-like behavior (vertical, tcp) | 4 | 7 | 48 | 32785 |
| scan-responses-like behavior (vertical, udp) | 4 | 3 | 26 | 8495 |
|
|