Service specific anomaly detection for network intrusion detection
Proceedings of the 2002 ACM symposium on Applied computing
An empirical analysis of NATE: Network Analysis of Anomalous Traffic Events
Proceedings of the 2002 workshop on New security paradigms
Behavioral Authentication of Server Flows
ACSAC '03 Proceedings of the 19th Annual Computer Security Applications Conference
Accurate, scalable in-network identification of p2p traffic using application signatures
Proceedings of the 13th international conference on World Wide Web
Flow classification by histograms: or how to go on safari in the internet
Proceedings of the joint international conference on Measurement and modeling of computer systems
HMM profiles for network traffic classification
Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security
LISA '00 Proceedings of the 14th USENIX conference on System administration
The OSU Flow-tools Package and CISCO NetFlow Logs
LISA '00 Proceedings of the 14th USENIX conference on System administration
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Understanding Patterns of TCP Connection Usage with Statistical Clustering
MASCOTS '05 Proceedings of the 13th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunication Systems
A traffic identification method and evaluations for a pure p2p application
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
A parameterizable methodology for Internet traffic flow profiling
IEEE Journal on Selected Areas in Communications
On web browsing privacy in anonymized NetFlows
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
CSAMP: a system for network-wide flow monitoring
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Bittorrent peer identification based on behaviors of a choke algorithm
Proceedings of the 4th Asian Conference on Internet Engineering
Profiling and identification of P2P traffic
Computer Networks: The International Journal of Computer and Telecommunications Networking
Inferring undesirable behavior from P2P traffic analysis
Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Bunker: a privacy-oriented platform for network tracing
NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Browser Fingerprinting from Coarse Traffic Summaries: Techniques and Implications
DIMVA '09 Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Coordinated sampling sans origin-destination identifiers: algorithms and analysis
COMSNETS'10 Proceedings of the 2nd international conference on COMmunication systems and NETworks
Revisiting the case for a minimalist approach for network flow monitoring
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
What is the impact of p2p traffic on anomaly detection?
RAID'10 Proceedings of the 13th international conference on Recent advances in intrusion detection
Summary-invisible networking: techniques and defenses
ISC'10 Proceedings of the 13th international conference on Information security
Host-Based P2P Flow Identification and Use in Real-Time
ACM Transactions on the Web (TWEB)
Understanding and overcoming cyber security anti-patterns
Computer Networks: The International Journal of Computer and Telecommunications Networking
Policy implications of technology for detecting P2P and copyright violations
Telecommunications Policy
| Hi-index | 0.00 |
A user who wants to use a service forbidden by their site's usage policy can masquerade their packets in order to evade detection. One masquerade technique sends prohibited traffic on TCP ports commonly used by permitted services, such as port 80. Users who hide their traffic in this way pose a special challenge, since filtering by port number risks interfering with legitimate services using the same port. We propose a set of tests for identifying masqueraded peer-to-peer file-sharing based on traffic summaries (flows). Our approach is based on the hypothesis that these applications have observable behavior that can be differentiated without relying on deep packet examination. We develop tests for these behaviors that, when combined, provide an accurate method for identifying these masqueraded services without relying on payload or port number. We test this approach by demonstrating that our integrated detection mechanism can identify BitTorrent with a 72% true positive rate and virtually no observed false positives in control services (FTP-Data, HTTP, SMTP).