A Method for Malicious Network Packet Detection based on Anomalous TTL Values

Abstract

In the current digital age, a pervasive shift towards digitalization is evident in all aspects of life, encompassing entertainment, education, business, and more. Consequently, the demand for internet access has surged, paralleled therefore unfortunate escalation in cybercrimes. This study undertakes an exploration into the intrinsic nature of network packets, aiming to discern their potential for malice or legitimacy. In the internet, 32 intermediate nodes are encountered by a Network packet before it reaches its final host. Our findings suggest that the time-to-live (TTL) parameter in certain IP packets diverges from the initial TTL by more than 32 intermediary hops. It's likely that these packets are generated by specialized software. We anticipate that malicious IP packets exhibit unconventional TTL values, influenced by factors such as the source machine's operating system and protocols like TCP/ICMP/UDP, etc. To gauge the effectiveness and value of the proposed method, an experiment was conducted utilizing the SNORT NIDS system. Filtering rules based on signatures were formulated to thoroughly analyze the traffic. Real network data, along with DARPA and MACCDC 2012 datasets, were employed as inputs for the SNORT NIDS, and it has been observed that the suggested approach successfully detects the anomalous network packets.