Game theory driven monitoring of spatial-aggregated IP-Flow records

An important problem in current operational environments is the large quantity of monitoring data that has to be processed online. This paper introduces a new metric that leverages spatially and temporally aggregated IP-flow related information. The metric is based on a new kernel function that captures both IP address space distribution as well as volume related traffic information. We assess several attacks and counter attack methods with respect to a sound game-theoretical model in order to identify the best Nash Equilibrium driven defensive and offensive strategies.

[1]  Paramvir Bahl,et al.  Towards highly reliable enterprise network services via inference of multi-level dependencies , 2007, SIGCOMM.

[2]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[3]  Dan Pei,et al.  Quantifying the Extent of IPv6 Deployment , 2009, PAM.

[4]  Tan Yee Fan,et al.  A Tutorial on Support Vector Machine , 2009 .

[5]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM 2004.

[6]  Osamu Nakamura,et al.  Detection of denial of service attacks using AGURI , 2002 .

[7]  Andreas Kind,et al.  Mining semantic relations using NetFlow , 2008, 2008 3rd IEEE/IFIP International Workshop on Business-driven IT Management.

[8]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[9]  Salvatore J. Stolfo,et al.  Mining in a data-flow environment: experience in network intrusion detection , 1999, KDD '99.

[10]  Christopher J. C. Burges,et al.  A Tutorial on Support Vector Machines for Pattern Recognition , 1998, Data Mining and Knowledge Discovery.

[11]  Vladimir Vapnik,et al.  Statistical learning theory , 1998 .

[12]  Pere Barlet-Ros,et al.  Portscan Detection with Sampled NetFlow , 2009, TMA.

[13]  George Varghese,et al.  Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications , 2001, SIGCOMM 2001.

[14]  Jun Murai,et al.  Characteristics of Denial of Service Attacks on Internet Using AGURI , 2003, ICOIN.

[15]  Hui Zang,et al.  Traffic monitor deployment in IP networks , 2009, Comput. Networks.

[16]  Antonio Pescapè,et al.  Internet traffic modeling by means of Hidden Markov Models , 2008, Comput. Networks.

[17]  Svein J. Knapskog,et al.  A Framework for Predicting Security and Dependability Measures in Real-time , 2007 .

[18]  Konrad Rieck,et al.  Machine learning for application layer intrusion detection , 2011 .

[19]  R. McKelvey,et al.  Quantal Response Equilibria for Normal Form Games , 1995 .

[20]  Anja Feldmann,et al.  NetFlow: information loss or win? , 2002, IMW '02.

[21]  Arthur B. Yeh,et al.  Exponentially Weighted Moving Average (EWMA) Control Charts for Monitoring an Analytical Process , 2008 .

[22]  Akira Kato,et al.  Aguri: An Aggregation-Based Traffic Profiler , 2001, QofIS.

[23]  Amy Greenwald,et al.  Matrix Games and Nash Equilibrium , 2007 .

[24]  Aiko Pras,et al.  Hidden Markov Model Modeling of SSH Brute-Force Attacks , 2009, DSOM.

[25]  Theodore L. Turocy A dynamic homotopy interpretation of the logistic quantal response equilibrium correspondence , 2005, Games Econ. Behav..