Unsupervised host behavior classification from connection patterns

Authors:
Guillaume Dewaele;Yosuke Himura;Pierre Borgnat;Kensuke Fukuda;Patrice Abry;Olivier Michel;Romain Fontugne;Kenjiro Cho;Hiroshi Esaki
Affiliations:
Laboratoire de Physique de l'ENS de Lyon, CNRS, UMR, ENSL, Lyon, France;Graduate School of Information Science and Technology, University of Tokyo, Tokyo, Japan;Laboratoire de Physique de l'ENS de Lyon, CNRS, UMR, ENSL, Lyon, France;National Institute of Informatics, PRESTO, JST, Tokyo, Japan;Laboratoire de Physique de l'ENS de Lyon, CNRS, UMR, ENSL, Lyon, France;Gipsa-lab, CNRS, UMR, Saint Martin d'Hères, France;National Institute of Informatics, Graduate University for Advanced Studies, Tokyo, Japan;Internet Initiative Japan, Tokyo, Japan;Graduate School of Information Science and Technology, University of Tokyo, Tokyo, Japan
Venue:
International Journal of Network Management
Year:
2010

Citing 20
Cited 2

Elements of information theory

Elements of information theory
Random Graphs for Statistical Pattern Recognition

Random Graphs for Statistical Pattern Recognition
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Internet traffic classification using bayesian analysis techniques

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Profiling internet backbone traffic: behavior models and applications

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Diffusion Maps and Coarse-Graining: A Unified Framework for Dimensionality Reduction, Graph Partitioning, and Data Set Parameterization

IEEE Transactions on Pattern Analysis and Machine Intelligence
Traffic classification using clustering algorithms

Proceedings of the 2006 SIGCOMM workshop on Mining network data
Traffic data repository at the WIDE project

ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Analysis of internet backbone traffic and header anomalies observed

Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Proceedings of the 2007 workshop on Large scale attack defense
Passive network forensics: behavioural classification of network hosts based on connection patterns

ACM SIGOPS Operating Systems Review
Unconstrained endpoint profiling (googling the internet)

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
On the History of the Minimum Spanning Tree Problem

IEEE Annals of the History of Computing
Some properties of Rényi entropy and Rényi entropy rate

Information Sciences: an International Journal
Internet traffic classification demystified: myths, caveats, and the best practices

CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Review: Application classification using packet size distribution and port association

Journal of Network and Computer Applications
Early recognition of encrypted applications

PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Estimating routing symmetry on single links by passive flow measurements

Proceedings of the 6th International Wireless Communications and Mobile Computing Conference

A supervised machine learning approach to classify host roles on line using sFlow

Proceedings of the first edition workshop on High performance and programmable networking
Synoptic graphlet: bridging the gap between supervised and unsupervised profiling of host-level network traffic

IEEE/ACM Transactions on Networking (TON)

Quantified Score

Hi-index	0.00

Visualization

Abstract

A novel host behavior classification approach is proposed as a preliminary step toward traffic classification and anomaly detection in network communication. Although many attempts described in the literature were devoted to flow or application classifications, these approaches are not always adaptable to the operational constraints of traffic monitoring (expected to work even without packet payload, without bidirectionality, on high-speed networks or from flow reports only, etc.). Instead, the classification proposed here relies on the leading idea that traffic is relevantly analyzed in terms of host typical behaviors: typical connection patterns of both legitimate applications (data sharing, downloading, etc.) and anomalous (eventually aggressive) behaviors are obtained by profiling traffic at the host level using unsupervised statistical classification. Classification at the host level is not reducible to flow or application classification, and neither is the contrary: they are different operations which might have complementary roles in network management. The proposed host classification is based on a nine-dimensional feature space evaluating host Internet connectivity, dispersion and exchanged traffic content. A minimum spanning tree (MST) clustering technique is developed that does not require any supervised learning step to produce a set of statistically established typical host behaviors. Not relying on a priori defined classes of known behaviors enables the procedure to discover new host behaviors, that potentially were never observed before. This procedure is applied to traffic collected over the entire year of 2008 on a transpacific (Japan/USA) link. A cross-validation of this unsupervised classification against a classical port-based inspection and a state-of-the-art method provides assessment of the meaningfulness and the relevance of the obtained classes for host behaviors. Copyright © 2010 John Wiley & Sons, Ltd.