HAL will be down for maintenance from Friday, June 10 at 4pm through Monday, June 13 at 9am. More information
Skip to Main content Skip to Navigation
Conference papers

Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow

Abstract : Network Address Translation (NAT) is a technique commonly employed in today’s computer networks. NAT allows multiple devices to hide behind a single IP address. From a network management and security point of view, NAT may not be desirable or permitted as it allows rogue and unattended network access. In order to detect rogue NAT devices, we propose a novel passive remote source NAT detection approach based on behavior statistics derived from NetFlow. Our approach utilizes 9 distinct features that can directly be derived from NetFlow records. Furthermore, our approach does not require IP address information, but is capable of operating on anonymous identifiers. Hence, our approach is very privacy friendly. Our approach requires only a 120 seconds sample of NetFlow records to detect NAT traffic within the sample with a lower-bound accuracy of 89.35%. Furthermore, our approach is capable of operating in real-time.
Complete list of metadata

Cited literature [22 references]  Display  Hide  Download

Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Tuesday, March 14, 2017 - 5:06:16 PM
Last modification on : Tuesday, March 14, 2017 - 5:12:29 PM
Long-term archiving on: : Thursday, June 15, 2017 - 3:13:59 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Sebastian Abt, Christian Dietz, Harald Baier, Slobodan Petrović. Passive Remote Source NAT Detection Using Behavior Statistics Derived from NetFlow. 7th International Conference on Autonomous Infrastructure (AIMS), Jun 2013, Barcelona, Spain. pp.148-159, ⟨10.1007/978-3-642-38998-6_18⟩. ⟨hal-01489964⟩



Record views


Files downloads