论文信息 - Network traffic behavior analysis by decomposition into control and data planes

Network traffic behavior analysis by decomposition into control and data planes

In this paper, we analyze network traffic behavior by decomposing header traffic into control and data planes to study the relationship between the two planes. By computing the cross-correlation between the control and data traffics, we observe a general 'similar' behavior between the two planes during normal behavior, and that this similarity is affected during abnormal behaviors. This allows us to focus on abnormal changes in network traffic behavior. We test our approach on the Network Intrusion Dataset provided by the Information Exploration Shootout (IES) project and the 1999 DARPA Intrusion detection Evaluation Dataset from the MIT Lincoln Lab. We find that TCP control and data traffic have high correlation levels during benign normal applications. This correlation is reduced when attacks that affect the aggregate traffic are present in the two datasets.

José M. F. Moura | Xiaohui Wang | Basil AsSadhan | Hyong Kim

[1] John McHugh,et al. Defending Yourself: The Role of Intrusion Detection Systems , 2000, IEEE Software.

[2] George Varghese,et al. On Scalable Attack Detection in the Network , 2004, IEEE/ACM Transactions on Networking.

[3] Richard Lippmann,et al. Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation , 2000, Recent Advances in Intrusion Detection.

[4] Richard Lippmann,et al. The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[5] John McHugh,et al. Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[6] John McHugh,et al. Intrusion and intrusion detection , 2001, International Journal of Information Security.