Thousands of diverse applications and services flow daily over networks used by governments, industry, and private users. Attacks can be hidden within these information flows by disguising network traffic to make it look legitimate. Generally, the TCP or UDP port numbers over which communication is established can be mapped to specific network services. For instance TCP port 80 is usually associated with HTTP traffic. However, intruders can masquerade unauthorized activity by using non-standard ports or standard ports in non-standard ways to avoid detection.

The Network Security Research Group at the Communication Research Centre (CRC) is working to identify flows of information that disguise attacks. Research and experiments with an in-house proof of concept tool have shown that common applications and services have signature-like features that can be identified. Differences between observed and known signatures can indicate an attack is underway. Research challenges include finding these differences in high-speed, high-volume network links and within protocols that are intended to obscure the details of the information carried.

Further details can be found here