Detection of illicit traffic based on multiscale analysis

Recent years have witnessed a huge increase in the number and variety of Internet applications, as well as on the number and diversity of security attacks to network users and systems. Consequently, the need for an accurate mapping of traffic to its corresponding applications has also raised in order to allow ISPs to provide better Quality-of-Service (QoS) standards, implement traffic engineering methodologies and deploy efficient security strategies. Several approaches have been proposed to identify Internet applications, starting from port-based identification and going into the detailed analysis of the packet's payload content or to the statistical analysis of the generated traffic flows. However, even the most efficient methodologies present some constraints that limit their applicability, namely some confidentiality constraints or difficulties to classify traffic with unknown behavior. This paper presents a new methodology for traffic classification that relies on the multiscale analysis of the sampled traffic by estimating the multifractal coefficients of the different traffic flows and grouping them, using clustering techniques, according to their multifractal behavior over different time scales. Besides applying this approach to classify traffic from three of the most important Internet protocols, the methodology's efficiency was also tested by identifying two of the most frequent network security attacks.

[1]  Ali S. Hadi,et al.  Finding Groups in Data: An Introduction to Chster Analysis , 1991 .

[2]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[3]  Nick Feamster,et al.  Revealing Botnet Membership Using DNSBL Counter-Intelligence , 2006, SRUTI.

[4]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[5]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[6]  Wenke Lee,et al.  Modeling Botnet Propagation Using Time Zones , 2006, NDSS.

[7]  Ingrid Zukerman,et al.  Predicting users' requests on the WWW , 1999 .

[8]  Rudolf H. Riedi,et al.  Multifractal Properties of TCP Traffic: a Numerical Study , 1997 .

[9]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.

[10]  R. Valadas,et al.  Classification of Internet users using discriminant analysis and neural networks , 2005, Next Generation Internet Networks, 2005.

[11]  John C. S. Lui,et al.  Application Identification Based on Network Behavioral Profiles , 2008, 2008 16th Interntional Workshop on Quality of Service.

[12]  Anja Feldmann,et al.  Dynamics of IP traffic: a study of the role of variability and the impact of control , 1999, SIGCOMM '99.

[13]  Patrice Abry,et al.  Wavelets for the Analysis, Estimation, and Synthesis of Scaling Data , 2002 .

[14]  Anirban Mahanti,et al.  Traffic classification using clustering algorithms , 2006, MineNet '06.

[15]  W. Timothy Strayer,et al.  Using Machine Learning Techniques to Identify Botnet Traffic , 2006 .

[16]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[17]  Anthony McGregor,et al.  Flow Clustering Using Machine Learning Techniques , 2004, PAM.

[18]  Felix C. Freiling,et al.  Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks , 2005, ESORICS.

[19]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.

[20]  Guangmin Hu,et al.  Anomaly Detection of Network Traffic Based on Wavelet Packet , 2006, 2006 Asia-Pacific Conference on Communications.

[21]  Andreas Terzis,et al.  A multifaceted approach to understanding the botnet phenomenon , 2006, IMC '06.

[22]  Paulo Salvador,et al.  Discriminating Internet Applications based on Multiscale Analysis , 2009, 2009 Next Generation Internet Networks.

[23]  tcpdump Tcpdump/Libpcap public repository , 2010 .

[24]  Carey L. Williamson,et al.  A Longitudinal Study of P2P Traffic Classification , 2006, 14th IEEE International Symposium on Modeling, Analysis, and Simulation.

[25]  J. MacQueen Some methods for classification and analysis of multivariate observations , 1967 .

[26]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[27]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.