Classification Models on tcpdump

• Adding temporal features for better models:

  • Examine all connections in the past n seconds, and count:
    • the number of connection errors, all other errors, connections to system services, user applications, and connection to the same service as the current connection
    • average duration and data bytes of all connections; and the same averages of connections to the same service.

Previous slide

Next slide

Back to first slide

View graphic version