Exploring Graph-Based Network Traffic Monitoring
暂无分享,去创建一个
Monitoring network traffic and classifying applications are essential functions for network administrators. These tasks are becoming increasingly challenging since (a) many applications obfuscate their traffic using nonstandard ports, and (b) new applications constantly appear. This suggests the need for a behavioral-based approach, where the detector looks for fundamental behaviors of the application that are both intrinsic to the application and distinct from normal traffic. Identifying intrinsic behaviors makes it difficult for application writers to disguise such behaviors without defeating the very purpose of the application. In this paper, we propose a graph-based representation of network traffic which captures the network-wide interactions of applications. In these graphs, nodes are individual IP address and edges between nodes represent particular communications. For example, an edge might represent the exchange of a single packet, or the exchange of at least ten packets of any type. We call such graphs "Traffic Dispersion Graphs" or TDGs [3]. As a proof of concept we show that our proposed graph-based classifier out-perfoms BLINC [4] in detecting P2P traffic on backbone links. Our results are very promising, showing that TDGs can provide the basis for the next generation of network monitoring tools.
[1] Daniel R. Ellis,et al. A behavioral approach to worm detection , 2004, WORM '04.
[2] M. Frans Kaashoek,et al. Proceedings of the General Track: 2003 Usenix Annual Technical Conference Role Classification of Hosts within Enterprise Networks Based on Connection Patterns , 2022 .
[3] George Varghese,et al. Network monitoring using traffic dispersion graphs (tdgs) , 2007, IMC '07.
[4] Michalis Faloutsos,et al. BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.