Identification of anomalies on encrypted communications based on multi-scale behavior modeling

Internet usage has increased drastically in the past years due to the emergence of new services and applications such as voice, video streaming, video-conference, e-banking, etc. As the number of Internet users increased, the number of illegal activities, like spam, data and identity theft, among others, also increased in an exponential way. Identifying Internet applications became a very important task for several purposes, such as traffic engineering, quality of service, network optimization and, obviously, security. Several identification methodologies have been proposed, ranging from simple approaches like port-based methodologies to more generic approaches, like protocol statistical analysis. However, the frequent use of traffic encryption does not allow to perform inspection based on the packet payload, triggering the need for new methodologies that can provide an accurate mapping of traffic to their generating protocols based only on traffic flow statistics. This paper presents an identification methodology that relies on a multi-scale analysis of sampled traffic flows, enabling the identification of illicit activities on encrypted communications scenarios. Several multi-scale quantifiers are obtained from the multi-scale analysis of captured flows and the classification of these flows is then based on identifying the time-scales where the different multi-scale quantifiers are better discriminated. Two different approaches are used in the classification procedure: one that is based on the distances between the quantiles of the empirical distributions, assuming that the multi-scale quantifiers follow a generic probability distribution, and another methodology that assumes that the multi-scale quantifiers follow Gaussian Distributions. The methodology was applied to some of the mostly used licit Internet applications and two popular illicit applications, and the results obtained show that the proposed approach is able to accurately classify Internet traffic and identify illicit activities.

[1]  Patrice Abry,et al.  Wavelets for the Analysis, Estimation, and Synthesis of Scaling Data , 2002 .

[2]  Michalis Faloutsos,et al.  Is P2P dying or just hiding? [P2P traffic measurement] , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[3]  Vinod Yegneswaran,et al.  An Inside Look at Botnets , 2007, Malware Detection.

[4]  Wenke Lee,et al.  Advanced Polymorphic Worms: Evading IDS by Blending in with Normal Traffic , 2005 .

[5]  Brian Rexroad,et al.  Wide-Scale Botnet Detection and Characterization , 2007, HotBots.

[6]  John C. S. Lui,et al.  Application Identification Based on Network Behavioral Profiles , 2008, 2008 16th Interntional Workshop on Quality of Service.

[7]  Ali A. Ghorbani,et al.  BotCop: An Online Botnet Traffic Classifier , 2009, 2009 Seventh Annual Communication Networks and Services Research Conference.

[8]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[9]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[10]  Carey L. Williamson,et al.  Offline/realtime traffic classification using semi-supervised learning , 2007, Perform. Evaluation.

[11]  Anja Feldmann,et al.  Data networks as cascades: investigating the multifractal nature of Internet WAN traffic , 1998, SIGCOMM '98.

[12]  V. Alarcón-Aquino,et al.  Anomaly detection in communication networks using wavelets , 2001 .

[13]  Yao Zhao,et al.  BotGraph: Large Scale Spamming Botnet Detection , 2009, NSDI.

[14]  Jean-Michel Poggi,et al.  Wavelets and their applications , 2007 .

[15]  Michael K. Reiter,et al.  Traffic Aggregation for Malware Detection , 2008, DIMVA.

[16]  Wilfried N. Gansterer,et al.  On the detection and identification of botnets , 2010, Comput. Secur..

[17]  Oliver Spatscheck,et al.  Accurate, scalable in-network identification of p2p traffic using application signatures , 2004, WWW '04.

[18]  Heejo Lee,et al.  Tracking multiple C&C botnets by analyzing DNS traffic , 2010, 2010 6th IEEE Workshop on Secure Network Protocols.

[19]  Anu Ramanathan,et al.  WADeS: a tool for Distributed Denial of Service Attack detection , 2002 .

[20]  Patrick Haffner,et al.  ACAS: automated construction of application signatures , 2005, MineNet '05.