End-to-end packet delay and loss behavior in the internet
SIGCOMM '93 Conference proceedings on Communications architectures, protocols and applications
On the self-similar nature of Ethernet traffic (extended version)
IEEE/ACM Transactions on Networking (TON)
Empirically derived analytic models of wide-area TCP connections
IEEE/ACM Transactions on Networking (TON)
Wide area traffic: the failure of Poisson modeling
IEEE/ACM Transactions on Networking (TON)
SIGCOMM '95 Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication
Self-similarity in World Wide Web traffic: evidence and possible causes
Proceedings of the 1996 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
End-to-end Internet packet dynamics
SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
Automated packet trace analysis of TCP implementations
SIGCOMM '97 Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication
Generating representative Web workloads for network and server performance evaluation
SIGMETRICS '98/PERFORMANCE '98 Proceedings of the 1998 ACM SIGMETRICS joint international conference on Measurement and modeling of computer systems
Modeling TCP throughput: a simple model and its empirical validation
Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication
A methodology for workload characterization of E-commerce sites
Proceedings of the 1st ACM conference on Electronic commerce
What TCP/IP protocol headers can tell us about the web
Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Difficulties in simulating the internet
IEEE/ACM Transactions on Networking (TON)
On the constancy of internet path properties
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
A compound model for TCP connection arrivals for LAN and WAN applications
Computer Networks: The International Journal of Computer and Telecommunications Networking - Special issue: Advances in modeling and engineering of Longe-Range dependent traffic
On the characteristics and origins of internet flow rates
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Finding a Connection Chain for Tracing Intruders
ESORICS '00 Proceedings of the 6th European Symposium on Research in Computer Security
Holding intruders accountable on the Internet
SP '95 Proceedings of the 1995 IEEE Symposium on Security and Privacy
Minos: Control Data Attack Prevention Orthogonal to Memory Model
Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture
Worm Origin Identification Using Random Moonwalks
SP '05 Proceedings of the 2005 IEEE Symposium on Security and Privacy
Internet traffic classification using bayesian analysis techniques
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Unexpected means of protocol inference
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Introduction to Probability Models, Ninth Edition
Introduction to Probability Models, Ninth Edition
Exploiting underlying structure for detailed reconstruction of an internet-scale event
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
SSYM'00 Proceedings of the 9th conference on USENIX Security Symposium - Volume 9
A parameterizable methodology for Internet traffic flow profiling
IEEE Journal on Selected Areas in Communications
Polyglot: automatic extraction of protocol message format using dynamic binary analysis
Proceedings of the 14th ACM conference on Computer and communications security
Discoverer: automatic protocol reverse engineering from network traces
SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
What's going on?: learning communication rules in edge networks
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Tupni: automatic reverse engineering of input formats
Proceedings of the 15th ACM conference on Computer and communications security
Automating analysis of large-scale botnet probing events
Proceedings of the 4th International Symposium on Information, Computer, and Communications Security
Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering
Proceedings of the 16th ACM conference on Computer and communications security
Macroscope: end-point approach to networked application dependency discovery
Proceedings of the 5th international conference on Emerging networking experiments and technologies
Unveiling the underlying relationships over a network for monitoring purposes
International Journal of Network Management
Mining dependency in distributed systems through unstructured logs analysis
ACM SIGOPS Operating Systems Review
Mining netflow records for critical network activities
AIMS'10 Proceedings of the Mechanisms for autonomous management of networks and services, and 4th international conference on Autonomous infrastructure, management and security
Intrusion detection in SCADA networks
AIMS'10 Proceedings of the Mechanisms for autonomous management of networks and services, and 4th international conference on Autonomous infrastructure, management and security
Inferring protocol state machine from network traces: a probabilistic approach
ACNS'11 Proceedings of the 9th international conference on Applied cryptography and network security
Deja vu: fingerprinting network problems
Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies
Session level flow classification by packet size distribution and session grouping
Computer Networks: The International Journal of Computer and Telecommunications Networking
Journal of Network and Computer Applications
A framework for attack patterns' discovery in honeynet data
Digital Investigation: The International Journal of Digital Forensics & Incident Response
Automatic protocol reverse-engineering: Message format extraction and field semantics inference
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.00 |
While the problem of analyzing network traffic at the granularity of individual connections has seen considerable previous work and tool development, understanding traffic at a higher level - the structure of user-initiated sessions comprised of groups of related connections - remains much less explored. Some types of session structure, such as the coupling between an FTP control connection and the data connections it spawns, have prespecified forms, though the specifications do not guarantee how the forms appear in practice. Other types of sessions, such as a user reading email with a browser, only manifest empirically. Still other sessions might exist without us even knowing of their presence, such as a botnet zombie receiving instructions from its master and proceeding in turn to carry them out. We present algorithms rooted in the statistics of Poisson processes that can mine a large corpus of network connection logs to extract the apparent structure of application sessions embedded in the connections. Our methods are semi-automated in that we aim to present an analyst with high-quality information (expressed as regular expressions) reflecting different possible abstractions of an application's session structure. We develop and test our methods using traces from a large Internet site, finding diversity in the number of applications that manifest, their different session structures, and the presence of abnormal behavior. Our work has applications to traffic characterization and monitoring, source models for synthesizing network traffic, and anomaly detection.