Abstract
Profiling network traffic pattern is an important approach for tackling network security problem. Based on campus network infrastructure, we propose a new method to identify randomly generated domain names and pinpoint the potential victim groups. We characterize normal domain names with the so called popular 2gram (2 consecutive characters in a word) to distinguish between active and nonexistent domain names. We also track the destination IPs of sources IPs and analyze their similarity of connection pattern to uncover potential anomalous group network behaviors. We apply the Hadoop technique to deal with the big data of network traffic and classify the clients as victims or not with the spectral clustering method.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Antonakakis M, Perdisci R, Dagon D, Lee W, Feamster N (2010) Building a dynamic reputation system for DNS. In: USENIX security symposium, pp 273–290
Antonakakis M, Perdisci R, Nadji Y, Vasiloglou N, Abu-Nimeh S, Lee W, Dagon D (2012) From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX security symposium
Bilge L, Kirda E, Kruegel C, Balduzzi M (2011) Exposure: finding malicious domains using passive DNS analysis. In: 18th Annual network and distributed system security symposium,6–9 Feb 2011. San Diego, CA, USA
Cheetham AH, Hazel JE (1969) Binary (presence–absence) similarity coefficients. J Paleontol 43(5): 1130–1136
Choi H, Lee H (2012) Identifying botnets by capturing group activities in DNS traffic. Comput Netw, vol 56, pp 20–33
Dietrich C, Rossow C, Freiling F, Bos H, van Steen M, Pohlmann N (2011) On botnets that use DNS for command and control. In: Seventh European conference on computer network defense (EC2ND), pp 9–16
Fiore U, Palmieri F, Castiglione A, De Santis A (2013) Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122:13–23
Freund Y, Mason L (1999) The alternating decision tree learning algorithm. In: ICML, vol 99, pp 124–133
Han J, Kamber M, Pei J (2012) Data mining, concepts and techniques, 3rd edn. Morgan Kaufmann, San Francisco
Horowitz E, Sahni S, Mehta DP (2006) Fundamentals of data structures in C++, 2nd edn. Silicon Press, Summit
Kang U, Tsourakakis CE, Christos F (2009) PEGASUS: a peta-scale graph mining system—implementation and observations. In: IEEE ICDM 2009, pp 229–238
Kiyomoto S, Fukushima K, Miyake Y (2012) Design of categorization mechanism for disaster-information-gathering system. J Wirel Mob Netw Ubiquitous Comput Dependable Appl 3(4):21–34
Lutkebohle I (2013) English letter frequency counts: Mayzner revisited
Luxburg UV (2007) A tutorial on spectral clustering. Stat Comput 17(4): 395–416
Palmieri F, Fiore U (2009) A nonlinear, recurrence-based approach to traffic classification. Comput Netw 53(6):761–773
Porras P, Saidi H, Yegneswaran V (2009) Conficker analysis. SRI International, Menlo Park
Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Kruegel C, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on computer and communication security. ACM, New York, pp 635–647
Xu K, Wang F, Gu L (2011) Network-aware behavior clustering of internet end hosts. In: IEEE INFOCOM 2011, pp 2078–2086
Yadav S, Reddy A, Ranjan S (2010) Detecting algorithmically generated malicious domain names, In: Proceedings of the 10th ACM SIGCOMM conference on internet measurement, pp 48–61
Author information
Authors and Affiliations
Corresponding author
Additional information
Communicated by A. Castiglione.
Rights and permissions
About this article
Cite this article
Chiou, TW., Tsai, SC. & Lin, YB. Network security management with traffic pattern clustering. Soft Comput 18, 1757–1770 (2014). https://doi.org/10.1007/s00500-013-1218-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s00500-013-1218-0