Document Type

Technical Report

Publication Date



Computer networks -- Management, Computers -- Access control, Computer networks -- Security measures, Intrusion detection systems (Computer security), Anomaly detection (Computer security)


Ourmon is a near real-time network monitoring and anomaly detection system that captures packets using port-mirroring on Ethernet switches. It primarily displays data via web graphics using either RRDTOOL stripcharts or via histograms for top talker style graphs. We have developed a theory that network scanning launched primarily by worm programs including TCP and UDP scanners may be caught by monitoring network control data including TCP control packets (SYNS, FINS, RESETS) and ICMP errors, or by monitoring certain carefully chosen metadata such as the flow count itself. In this paper we concentrate on TCP and present a ”flow tuple” focused on TCP control data along with some new metrics and a novel reporting scheme called a port signature report. We illustrate our ideas with examples of attacks as shown by the Ourmon system, and relate those examples to our control theory ideas.


Portland State University Computer Science Department Technical Report #04-04, January 2005.

Persistent Identifier