The Contact Surface: A Technique for Exploring Internet Scale Emergent Behaviors

Large scale internet data analysis often concentrates on statistical measures for volume properties or is focused on the epidemiology of specific malcodes. We have developed a high level abstraction that we call the contact surface that allows us to visualize internet scale connection behaviours across the border of a monitored network. The contact surface is a time series of contact lines, each line plotting the number of outside sources that contact a specific number of inside hosts in a given time interval (typically an hour). In general, the lines follow a power law in the mid range with distinct outliers at the one destination per source and the hundreds to thousands of destinations per source ends. During some periods, however, the lines are perturbed with what appears to be a persistent bump or waterfall. We have studied two such episodes, one that persisted from at least January 2003 until August 2003 and another that appeared on February 11, 2004 and lasted until May 31, 2004. The exact cause of the former is unknown, however the later appears to have been caused by the Welchia.B worm. Similar activities are currently being reported by other observers. We hypothesize that the cause of the perturbation is low frequency periodic scanning by a small population of hosts scanning at the same rate. We have created simulations to explore the range of activities that might be observable and find reasonable agreement with the observed phenomena.

[1]  Manish Karir,et al.  Flamingo: Visualizing Internet Traffic , 2006, 2006 IEEE/IFIP Network Operations and Management Symposium NOMS 2006.

[2]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[3]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.

[4]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[5]  A. O. Fapojuwo,et al.  Statistical methods for computer network traffic analysis , 2006 .

[6]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[7]  Wayne G. Lutters,et al.  Preserving the big picture: visual network traffic analysis with TNV , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[8]  Carrie Gates,et al.  More Netflow Tools for Performance and Security , 2004, LISA.

[9]  Carey L. Williamson,et al.  Analysis of ISP IP/ATM network traffic measurements , 1999, PERV.

[10]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[11]  Bernhard Plattner,et al.  Flow-Level Traffic Analysis of the Blaster and Sobig Worm Outbreaks in an Internet Backbone , 2005, DIMVA.

[12]  Michalis Faloutsos,et al.  On power-law relationships of the Internet topology , 1999, SIGCOMM '99.

[13]  Yen-Wen Chen Traffic behavior analysis and modeling of sub-networks , 2002, Int. J. Netw. Manag..

[14]  John McHugh,et al.  Locality: a new paradigm for thinking about normal behavior and outsider threat , 2003, NSPW '03.

[15]  Barry Irwin,et al.  InetVis, a visual tool for network telescope traffic analysis , 2006, AFRIGRAPH '06.

[16]  Carrie Gates,et al.  Situational Awareness and Network Traffic Analysis , 2005 .

[17]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[18]  Richard G. Baraniuk,et al.  Connection-level analysis and modeling of network traffic , 2001, IMW '01.

[19]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.