Synoptic graphlet: bridging the gap between supervised and unsupervised profiling of host-level network traffic

Authors:
Yosuke Himura;Kensuke Fukuda;Kenjiro Cho;Pierre Borgnat;Patrice Abry;Hiroshi Esaki
Affiliations:
University of Tokyo, Tokyo, Japan;National Institute of Informatics and PRESTO, JST, Tokyo, Japan;Internet Initiative Japan, Tokyo, Japan and Keio University, Tokyo, Japan;CNRS and École Normale Supérieure de Lyon, Laboratoire de Physique, Lyon, France;CNRS and École Normale Supérieure de Lyon, Laboratoire de Physique, Lyon, France;University of Tokyo, Tokyo, Japan
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2013

Citing 22
Cited 0

Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Internet traffic classification using bayesian analysis techniques

SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Profiling internet backbone traffic: behavior models and applications

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
BLINC: multilevel traffic classification in the dark

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Traffic classification using clustering algorithms

Proceedings of the 2006 SIGCOMM workshop on Mining network data
Role classification of hosts within enterprise networks based on connection patterns

ATEC '03 Proceedings of the annual conference on USENIX Annual Technical Conference
Traffic data repository at the WIDE project

ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Proceedings of the 2007 workshop on Large scale attack defense
Early application identification

CoNEXT '06 Proceedings of the 2006 ACM CoNEXT conference
Passive network forensics: behavioural classification of network hosts based on connection patterns

ACM SIGOPS Operating Systems Review
Unconstrained endpoint profiling (googling the internet)

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Internet traffic classification demystified: myths, caveats, and the best practices

CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Unveiling core network-wide communication patterns through application traffic activity graph decomposition

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
Challenging statistical classification for operational usage: the ADSL case

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Exploiting dynamicity in graph-based traffic analysis: techniques and applications

Proceedings of the 5th international conference on Emerging networking experiments and technologies
Graph-based P2P traffic classification at the internet backbone

INFOCOM'09 Proceedings of the 28th IEEE international conference on Computer Communications Workshops
Profiling the end host

PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Unsupervised host behavior classification from connection patterns

International Journal of Network Management
Profiling-By-Association: a resilient traffic profiling solution for the internet backbone

Proceedings of the 6th International COnference
Internet traffic classification demystified: on the sources of the discriminative power

Proceedings of the 6th International COnference
NeTraMark: a network traffic classification benchmark

ACM SIGCOMM Computer Communication Review

Quantified Score

Hi-index	0.00

Visualization

Abstract

End-host profiling by analyzing network traffic comes out as a major stake in traffic engineering. Graphlet constitutes an efficient and common framework for interpreting host behaviors, which essentially consists of a visual representation as a graph. However, graphlet analyses face the issues of choosing between supervised and unsupervised approaches. The former can analyze a priori defined behaviors but is blind to undefined classes, while the latter can discover new behaviors at the cost of difficult a posteriori interpretation. This paper aims at bridging the gap between the two. First, to handle unknown classes, unsupervised clustering is originally revisited by extracting a set of graphlet-inspired attributes for each host. Second, to recover interpretability for each resulting cluster, a synoptic graphlet, defined as a visual graphlet obtained by mapping from a cluster, is newly developed. Comparisons against supervised graphlet-based, port-based, and payload-based classifiers with two datasets demonstrate the effectiveness of the unsupervised clustering of graphlets and the relevance of the a posteriori interpretation through synoptic graphlets. This development is further complemented by studying evolutionary tree of synoptic graphlets, which quantifies the growth of graphlets when increasing the number of inspected packets per host.