Document Type

Technical Report

Publication Date



Computer networks -- Management, Computers -- Access control, Computer networks -- Security measures, Intrusion detection systems (Computer security), Algorithms


We present a custom UDP flow tuple with an IP address key and a set of simple related statistical attributes. Attributes are used to calculate a per host metric called the UDP work weight which roughly measures the amount of network noise caused by a host. The work weight is used to produce a near real-time sorted top N report for UDP host tuples. We also present a derived attribute based on an algorithm called the UDP guesstimator. The UDP guesstimator roughly classifies port report hosts into various traffic categories including security threats (DOS/scanning) or P2P hosts based on high UDP work weights and other flow attributes. This algorithm does not use Layer 7 data and only relies on Layer 3 and Layer 4 statistics taken from the UDP flow tuple. Although we believe the algorithm to be fairly effective, we discuss several common sources of false positives including DNS servers, and P2P systems whichmay sometimes appear to be scanners. We also briefly present an experiment that has attempted to determine P2P applications based on UDP packet size histogram bins.


Portland State University Computer Science Department Technical Report #08-07, 2008.

Persistent Identifier