Exploiting dynamicity in graph-based traffic analysis: techniques and applications

Authors:
Marios Iliofotou;Michalis Faloutsos;Michael Mitzenmacher
Affiliations:
UC Riverside, Riverside, CA, USA;UC Riverside, Riverside, CA, USA;Harvard University, Cambridge, MA, USA
Venue:
Proceedings of the 5th international conference on Emerging networking experiments and technologies
Year:
2009

Citing 32
Cited 10

Characterizing large DNS traces using graphs

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Analyzing peer-to-peer traffic across large networks

IEEE/ACM Transactions on Networking (TON)
Accurate, scalable in-network identification of p2p traffic using application signatures

Proceedings of the 13th international conference on World Wide Web
Adversarial classification

Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining
Transport layer identification of P2P traffic

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
A behavioral approach to worm detection

Proceedings of the 2004 ACM workshop on Rapid malcode
FlowScan: A Network Traffic Flow Reporting and Visualization Tool

LISA '00 Proceedings of the 14th USENIX conference on System administration
On the lack of typical behavior in the global Web traffic network

WWW '05 Proceedings of the 14th international conference on World Wide Web
Internet traffic classification using bayesian analysis techniques

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
A traffic characterization of popular on-line games

IEEE/ACM Transactions on Networking (TON)
Profiling internet backbone traffic: behavior models and applications

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The internet AS-level topology: three data sources and one definitive metric

ACM SIGCOMM Computer Communication Review
Traffic classification on the fly

ACM SIGCOMM Computer Communication Review
SybilGuard: defending against sybil attacks via social networks

Proceedings of the 2006 conference on Applications, technologies, architectures, and protocols for computer communications
Traffic classification using clustering algorithms

Proceedings of the 2006 SIGCOMM workshop on Mining network data
Unexpected means of protocol inference

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)

Data Mining: Practical Machine Learning Tools and Techniques, Second Edition (Morgan Kaufmann Series in Data Management Systems)
Identifying and discriminating between web and peer-to-peer traffic in the network core

Proceedings of the 16th international conference on World Wide Web
Role classification of hosts within enterprise networks based on connection patterns

ATEC '03 Proceedings of the annual conference on USENIX Annual Technical Conference
Polymorphic blending attacks

USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Network monitoring using traffic dispersion graphs (tdgs)

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Forensic Analysis for Epidemic Attacks in Federated Networks

ICNP '06 Proceedings of the Proceedings of the 2006 IEEE International Conference on Network Protocols
Early application identification

CoNEXT '06 Proceedings of the 2006 ACM CoNEXT conference
Anomaly detection: A survey

ACM Computing Surveys (CSUR)
Internet traffic classification demystified: myths, caveats, and the best practices

CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Unveiling core network-wide communication patterns through application traffic activity graph decomposition

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Hit-list worm detection and bot identification in large networks using protocol graphs

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Measurement and estimation of network QoS among peer Xbox 360 game players

PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
Analysis of communities of interest in data networks

PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement

A flow trace generator using graph-based traffic classification techniques

Proceedings of the 6th International Wireless Communications and Mobile Computing Conference
BotGrep: finding P2P bots with structured graph analysis

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
Graption: A graph-based P2P traffic classification framework for the internet backbone

Computer Networks: The International Journal of Computer and Telecommunications Networking
BotTrack: tracking botnets using NetFlow and PageRank

NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
Discriminating graphs through spectral projections

Computer Networks: The International Journal of Computer and Telecommunications Networking
Traffic causality graphs: profiling network applications through temporal and spatial causality of flows

Proceedings of the 23rd International Teletraffic Congress
Traffic dispersion graph based anomaly detection

Proceedings of the Second Symposium on Information and Communication Technology
A Modular Machine Learning System for Flow-Level Traffic Classification in Large Networks

ACM Transactions on Knowledge Discovery from Data (TKDD)
Detecting malware with graph-based methods: traffic classification, botnets, and facebook scams

Proceedings of the 22nd international conference on World Wide Web companion
Synoptic graphlet: bridging the gap between supervised and unsupervised profiling of host-level network traffic

IEEE/ACM Transactions on Networking (TON)

Quantified Score

Hi-index	0.00

Visualization

Abstract

Network traffic can be represented by a Traffic Dispersion Graph (TDG) that contains an edge between two nodes that send a particular type of traffic (e.g., DNS) to one another. TDGs have recently been proposed as an alternative way to interpret and visualize network traffic. Previous studies have focused on static properties of TDGs using graph snapshots in isolation. In this work, we represent network traffic with a series of related graph instances that change over time. This representation facilitates the analysis of the dynamic nature of network traffic, providing additional descriptive power. For example, DNS and P2P graph instances can appear similar when compared in isolation, but the way the DNS and P2P TDGs change over time differs significantly. To quantify the changes over time, we introduce a series of novel metrics that capture changes both in the graph structure (e.g., the average degree) and the participants (i.e., IP addresses) of a TDG. We apply our new methodologies to improve graph-based traffic classification and to detect changes in the profile of legacy applications (e.g., e-mail).