As an example for the analysis of the probe data, we display the TCP Handshake and the TCP Teardown here:

This pictured is based on Tcp-handshake.png and Tcp-teardown.png from the free encyclopaedia Wikipedia and is under GNU licence for free documentations. The author of the picture can be found under the declared web sites.

Within a TCP Handshake a SYN/ACK packet follows a SYN packet. So there should be a ratio of 1:1 between the distributions of SYN packets to SYN/ACK packets. Each connection is closed through TCP Teardown. The Teardown is initiated through the sending of a FIN/ACK packet and is confirmed through a FIN/ACK packet from the receiver.  The ACK packets that are used for termination of handshake and teardown can’t be distinguished by IAS from regular ACK packets that confirm data packets and therefore are not taken into account.

The distribution of  packets participating on a TCP Handshake and TCP Teardown, averages in best case 25% SYN, 25% SYN/ACK und 50% FIN/ACK.

The data shows that not each try to establish a connection is successful and that not each connection can be established.
The RST packets result from faulty connections and from unsuccessful connection attempts on closed ports.

On the basis of this information and within small time intervals an anomaly can be detected.
The following time diagram shows the distribution of TCP connection control packets over one day: 

The shift in distribution can be clearly recognized. Taking into account the percent distribution of packets at this time shows the difference to a normal distribution.

A very interesting statistic is the browser usage statistic:
Conventional web browser statistics are levied through the analysis of log files. The web server saves the “http User Agent Header” value in his log files.
Evaluation software like “awstats” evaluates log files and displays besides other information the usage of web browsers. But these statistics only take into account the usage of web browsers relating to a specific web server.

IAS also evaluates the „User Agent“ Header, but the evaluation is done on the line. So this is a totally different kind of statistic. When evaluating log files, the user group consists of the web server’s users. The IAS evaluation is different its user group consists of the users sharing the line to be analyzed.

The following graphics show the distribution in browser usage (inbound and outbound accumulated) for the IT faculty between the mid of august 2005 and the beginning of 2006.
We can see that IE 6 and Mozilla Firefox dominate the traffic.
A separate analysis for in and outbound traffic is in preparation.

Taking a look at the graphs, the faculty’s complete WWW traffic can be estimated. The noticeable break-ins in traffic result from periods where regular operation of the faculty was limited.

Regular operation and especially the use of the student pools start slowly from here. The three noticeable break-ins result from the two bridge days (German Unification Day and All Hallows), as well as from the three Christmas days.

Very interesting in this context: wget doesn’t seem to be much impressed by public holidays.  This is due to the fact that wget is often used in scripts to download files in defined time intervals. For example virus scanner updates or the newest files for a mirror servers.

Indicators for the worm CME-151 CME-151, known as a sober worm variant, can be found in the IAS data.
(See also: MS05-039)