Long-Range Dependence Analysis of Control and Data Planes Network Traffic

This paper analyzes network traffic behavior using correlation analysis of control and data planes. The Long-Range Dependence behavior (LRD) of the control and data planes traffic is examined on different directions with respect to the enterprise network. The approach is tested on the TCP traffic of the Network Intrusion Dataset provided by the Information Exploration Shootout project. Results show that network attacks in the dataset that affect the aggregate traffic cause the incoming control traffic or the outgoing data traffic to fail to exhibit LRD behavior, whereas the traffic as a whole still exhibits LRD behavior. These two subgroups are the only ones affected, as the attacks in the dataset are carried via the incoming control traffic, and the response to this traffic appears at the outgoing data traffic. These two subgroups have low traffic volume, hence they significantly reduce the amount of traffic analysis. In addition, correlation analysis of control and data planes traffic will enable the detection of abnormal behaviors that might not be detected by previous work that only look at the traffic as a whole. Keywords—Network traffic analysis, correlation analysis, abnormal behavior, long-range dependence, the Optimization Method.

[1]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[2]  Ming Li,et al.  Decision analysis of network-based intrusion detection systems for denial-of-service attacks , 2001, 2001 International Conferences on Info-Tech and Info-Net. Proceedings (Cat. No.01EX479).

[3]  José M. F. Moura,et al.  Network traffic behavior analysis by decomposition into control and data planes , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[4]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[5]  Athina P. Petropulu,et al.  Long-range dependence and heavy-tail modeling for teletraffic data , 2002, IEEE Signal Process. Mag..

[6]  David A. Nash,et al.  Simulation of self-similarity in network utilization patterns as a precursor to automated testing of intrusion detection systems , 2001, IEEE Trans. Syst. Man Cybern. Part A.

[7]  M. A. Maarof,et al.  Iterative Window Size Estimation on Self-Similarity Measurement for Network Traffic Anomaly Detection , 2004 .

[8]  W. Schleifer,et al.  Online error detection through observation of traffic self-similarity , 2001 .

[9]  William H. Allen,et al.  On the self-similarity of synthetic traffic for the evaluation of intrusion detection systems , 2003, 2003 Symposium on Applications and the Internet, 2003. Proceedings..

[10]  Azer Bestavros,et al.  Self-similarity in World Wide Web traffic: evidence and possible causes , 1996, SIGMETRICS '96.

[11]  Houssain Kettani,et al.  A novel approach to the estimation of the long-range dependence parameter , 2006, IEEE Transactions on Circuits and Systems II: Express Briefs.

[12]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.