Discovering Patterns of Interest in IP Traffic Using Cliques in Bipartite Link Streams

Studying IP traffic is crucial for many applications. We focus here on the detection of (structurally and temporally) dense sequences of interactions, that may indicate botnets or coordinated network scans. More precisely, we model a MAWI capture of IP traffic as a link streams, i.e. a sequence of interactions $(t_1 , t_2 , u, v)$ meaning that devices $u$ and $v$ exchanged packets from time $t_1$ to time $t_2$ . This traffic is captured on a single router and so has a bipartite structure: links occur only between nodes in two disjoint sets. We design a method for finding interesting bipartite cliques in such link streams, i.e. two sets of nodes and a time interval such that all nodes in the first set are linked to all nodes in the second set throughout the time interval. We then explore the bipartite cliques present in the considered trace. Comparison with the MAWILab classification of anomalous IP addresses shows that the found cliques succeed in detecting anomalous network activity.

[1]  Petter Holme,et al.  Modern temporal network theory: a colloquium , 2015, The European Physical Journal B.

[2]  Nicola Santoro,et al.  Time-varying graphs and dynamic networks , 2010, Int. J. Parallel Emergent Distributed Syst..

[3]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[4]  Matthieu Latapy,et al.  Basic notions for the analysis of large two-mode networks , 2008, Soc. Networks.

[5]  Eric Fleury,et al.  A unifying model for representing time-varying graphs , 2014, 2015 IEEE International Conference on Data Science and Advanced Analytics (DSAA).

[6]  Kuai Xu,et al.  Behavior Analysis of Internet Traffic via Bipartite Graphs and One-Mode Projections , 2014, IEEE/ACM Trans. Netw..

[7]  Eric Fleury,et al.  Non-altering time scales for aggregation of dynamic networks into series of graphs , 2015, CoNEXT.

[8]  Matthieu Latapy,et al.  Computing maximal cliques in link streams , 2015, Theor. Comput. Sci..

[9]  Rolf Niedermeier,et al.  Enumerating maximal cliques in temporal graphs , 2016, 2016 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM).

[10]  Matthieu Latapy,et al.  Stream graphs and link streams for the modeling of interactions over time , 2017, Social Network Analysis and Mining.

[11]  Jari Saramäki,et al.  Exploring temporal networks with greedy walks , 2015, ArXiv.

[12]  Jure Leskovec,et al.  Motifs in Temporal Networks , 2016, WSDM.

[13]  Kensuke Fukuda,et al.  Seven Years and One Day: Sketching the Evolution of Internet Traffic , 2009, IEEE INFOCOM 2009.

[14]  Lamia Benamara,et al.  Estimating Properties in Dynamic Systems: The Case of Churn in P2P Networks , 2010, 2010 INFOCOM IEEE Conference on Computer Communications Workshops.

[15]  Kensuke Fukuda,et al.  Random projection and multiscale wavelet leader based anomaly detection and address identification in internet traffic , 2015, 2015 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP).

[16]  Hiroshi Esaki,et al.  Network application profiling with traffic causality graphs , 2014, Int. J. Netw. Manag..

[17]  Weiwei Zhang,et al.  Clustering and Profiling IP Hosts Based on Traffic Behavior , 2015, J. Networks.

[18]  Hiroshi Esaki,et al.  Synoptic Graphlet: Bridging the Gap Between Supervised and Unsupervised Profiling of Host-Level Network Traffic , 2013, IEEE/ACM Transactions on Networking.

[19]  Clémence Magnien,et al.  Detecting events in the dynamics of ego-centered measurements of the internet topology , 2010, 8th International Symposium on Modeling and Optimization in Mobile, Ad Hoc, and Wireless Networks.