skip to main content
10.1145/1658939.1658967acmconferencesArticle/Chapter ViewAbstractPublication PagesconextConference Proceedingsconference-collections
research-article

Exploiting dynamicity in graph-based traffic analysis: techniques and applications

Published: 01 December 2009 Publication History

Abstract

Network traffic can be represented by a Traffic Dispersion Graph (TDG) that contains an edge between two nodes that send a particular type of traffic (e.g., DNS) to one another. TDGs have recently been proposed as an alternative way to interpret and visualize network traffic. Previous studies have focused on static properties of TDGs using graph snapshots in isolation. In this work, we represent network traffic with a series of related graph instances that change over time. This representation facilitates the analysis of the dynamic nature of network traffic, providing additional descriptive power. For example, DNS and P2P graph instances can appear similar when compared in isolation, but the way the DNS and P2P TDGs change over time differs significantly. To quantify the changes over time, we introduce a series of novel metrics that capture changes both in the graph structure (e.g., the average degree) and the participants (i.e., IP addresses) of a TDG. We apply our new methodologies to improve graph-based traffic classification and to detect changes in the profile of legacy applications (e.g., e-mail).

References

[1]
W. Aiello, C. Kalmanek, P. McDaniel, S. Sen, O. Spatscheck, J. Merwe. Analysis of communities of interest in data networks. In PAM, 2005.
[2]
L. Bernaille, R. Teixeira, I. Akodjenou, A. Soule, and K. Salamatian. Traffic Classification on the Fly. ACM SIGCOMM CCR, 36(2):23--26, April 2006.
[3]
L. Bernaille, R. Teixeira, and K. Salamatian. Early Application Identification. In ACM CoNEXT, 2006.
[4]
CAIDA Org. The CoralReef Project, http://www.caida.org/tools/measurement/coralreef/.
[5]
CAIDA Trace Project. http://www.caida.org.
[6]
V. Chandola, A. Banerjee, and V. Kumar. Anomaly Detection: A Survey. ACM Computing Surveys, 2009.
[7]
M.P. Collins and M.K. Reiter. Hit-List Worm Detection and Bot Identification in Large Networks Using Protocol Graphs. In RAID, 2007.
[8]
C. Cranor, E. Gansner, B. Krishnamurthy, and O. Spatscheck. Characterizing Large DNS Traces Using Graphs. In ACM IMW, 2001.
[9]
N. Dalvi, P. Domingos, Mausam, S. Sanghai, and D. Verma. Adversarial Classification. In ACM SIGKDD, 2004.
[10]
D. Ellis, J. Aiken, K. Attwood, and S. Tenarglia. A Behavioral Approach to Worm Detection. In ACM CCS WORM, 2004.
[11]
J. Erman, M. Arlitt, and A. Mahanti. Traffic Classification Using Clustering Algorithms. In ACM SIGCOMM MineNet, 2006.
[12]
J. Erman, A. Mahanti, M. Arlitt, and C. Williamson. Identifying and Discriminating Between Web and Peer-to-peer Traffic in the Network Core. In WWW, 2007.
[13]
C. Estan, S. Savage, and G. Varghese. Automatically Inferring Patterns of Resource Consumption in Network Traffic. In ACM SIGCOMM, 2003.
[14]
W. Feng, F. Chang, W. Feng, J. Walpole. A Traffic Characterization of Popular On-line Games. IEEE/ACM Transactions on Networking, 13(3):488--500, 2005.
[15]
P. Fogla, M. Sharif, R. Perdisci, O. Kolesnikov, and W. Lee. Polymorphic Blending Attacks. In USENIX Security Symposium, 2006.
[16]
M. Iliofotou, H. Kim, P. Pappu, M. Faloutsos, M. Mitzenmacher, and G. Varghese. Graph-based P2P Traffic Classification at the Internet Backbone. In IEEE Global Internet Symposium, 2009.
[17]
M. Iliofotou, P. Pappu, M. Faloutsos, M. Mitzenmacher, S. Singh, and G. Varghese. Network Monitoring Using Traffic Dispersion Graphs (TDGs). In ACM IMC, 2007.
[18]
Y. Jin, S. Esam, and Z.L. Zhang. Unveiling Core Network-Wide Communication Patterns through Application Traffic Activity Graph Decomposition. In ACM SIGMETRICS, 2009.
[19]
T. Karagiannis, A. Broido, N. Brownlee, kc claffy, and M. Faloutsos. Is P2P dying or just hiding? In IEEE GLOBECOM, 2004.
[20]
T. Karagiannis, A. Broido, M. Faloutsos, and kc claffy. Transport Layer Identification of P2P Traffic. In ACM IMC, 2004.
[21]
T. Karagiannis, K. Papagiannaki, and M. Faloutsos. BLINC: Multi-level Traffic Classification in the Dark. In ACM SIGCOMM, 2005.
[22]
H. Kim, K. Claffy, M. Fomenkov, D. Barman, M. Faloutsos, and K. Lee. Internet Traffic Classification Demystified: Myths, Caveats, and the Best Practices. In ACM CoNEXT, 2008.
[23]
A. Lakhina, M. Crovella, and C. Diot. Mining Anomalies Using Traffic Feature Distributions. In ACM SIGCOMM, 2005.
[24]
M. Latapy and C. Magnien. Complex Network Measurements: Estimating the Relevance of Observed Properties. In IEEE INFOCOM, 2008.
[25]
Y. Lee, S. Agarwal, C. Butcher, and J. Padhye. Measurement and Estimation of Network QoS Among Peer Xbox 360 Game Players. In PAM, 2008.
[26]
J. Ma, K. Levchenko, C. Kreibich, S. Savage, and G.M. Voelker. Unexpected Means of Protocol Inference. In ACM IMC, 2006.
[27]
P. Mahadevan, D. Krioukov, B. Huffaker, X. Dimitropoulos, kc claffy, A. Vahdat. The Internet AS-Level Topology: three data sources and one definitive metric. ACM SIGCOMM CCR, 36(1), 2006.
[28]
P. McDaniel, S. Sen, O. Spatscheck, J. Merwe, B. Aiello, C. Kalmanek. Enterprise Security: A Community of Interest Based Approach. In NDSS, 2006.
[29]
A. McGregor, M. Hall, P. Lorier, and J. Brunskill. Flow Clustering Using Machine Learning Techniques. In PAM, 2004.
[30]
M. Meiss, F. Menczer, and A. Vespignani. On the Lack of Typical Behavior in the Global Web Traffic Network. In WWW, 2005.
[31]
A. Moore and D. Zuev. Internet Traffic Classification Using Bayesian Analysis Techniques. In ACM SIGMETRICS, 2005.
[32]
P. Papadimitriou, A. Dasdan, and H. Garcia-Molina. Web Graph Similarity for Anomaly Detection. Technical report, Stanford University, 2008.
[33]
D. Plonka. FlowScan: A Network Traffic Flow Reporting and Visualization Tool. In LISA, 2000.
[34]
S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable in-network identification of p2p traffic using application signatures. In WWW, 2004.
[35]
S. Sen and J. Wang. Analyzing Peer-to-peer Traffic Across Large Networks. IEEE/ACM Transaction on Networking, 12(2):219--232, 2004.
[36]
Steven Cheung et al. The Design of GrIDS: A Graph-Based Intrusion Detection System. UCD Technical Report CSE-99-2, 1999.
[37]
G. Tan, M. Poletto, J. Guttag, and F. Kaashoek. Role Classification of Hosts within Enterprise Networks Based on Connection Patterns. In USENIX Annual Technical Conference, 2003.
[38]
J. Tolle and O. Niggenmann. Supporting Intrusion Detection by Graph Clustering and Graph Drawing. In RAID, 2000.
[39]
I.H. Witten and E. Frank. Data Mining: Practical machine learning tools and techniques. Morgan Kaufmann, 2nd edition, 2005.
[40]
Y. Xie, V. Sekar, D. Maltz, M. Reiter, and H. Zhan. Forensic Analysis of Epidemic Attacks in Federated Networks. In IEEE ICNP, 2006.
[41]
K. Xu, Z. Zhang, and S. Bhattacharyya. Profiling Internet Backbone Traffic: Behavior Models and Applications. In ACM SIGCOMM, 2005.
[42]
H. Yu, M. Kaminsky, P.B. Gibbons, and A. Flaxman. SybilGuard: Defending Against Sybil Attacks via Social Networks. In ACM SIGCOMM, 2006.

Cited By

View all
  • (2024)A novel approach for detecting malicious hosts based on RE-GCN in intranetCybersecurity10.1186/s42400-024-00242-87:1Online publication date: 30-Dec-2024
  • (2023) AutoIoT : Automatically Updated IoT Device Identification With Semi-Supervised Learning IEEE Transactions on Mobile Computing10.1109/TMC.2022.318311822:10(5769-5786)Online publication date: 1-Oct-2023
  • (2022)Mosar: Efficiently Characterizing Both Frequent and Rare Motifs in Large GraphsApplied Sciences10.3390/app1214721012:14(7210)Online publication date: 18-Jul-2022
  • Show More Cited By

Index Terms

  1. Exploiting dynamicity in graph-based traffic analysis: techniques and applications

        Recommendations

        Comments

        Information & Contributors

        Information

        Published In

        cover image ACM Conferences
        CoNEXT '09: Proceedings of the 5th international conference on Emerging networking experiments and technologies
        December 2009
        362 pages
        ISBN:9781605586366
        DOI:10.1145/1658939
        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

        Sponsors

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        Published: 01 December 2009

        Permissions

        Request permissions for this article.

        Check for updates

        Author Tags

        1. behavioral approach
        2. dynamic graphs
        3. network monitoring
        4. network-wide interactions

        Qualifiers

        • Research-article

        Conference

        Co-NEXT '09
        Sponsor:

        Acceptance Rates

        Overall Acceptance Rate 198 of 789 submissions, 25%

        Contributors

        Other Metrics

        Bibliometrics & Citations

        Bibliometrics

        Article Metrics

        • Downloads (Last 12 months)16
        • Downloads (Last 6 weeks)1
        Reflects downloads up to 20 Feb 2025

        Other Metrics

        Citations

        Cited By

        View all
        • (2024)A novel approach for detecting malicious hosts based on RE-GCN in intranetCybersecurity10.1186/s42400-024-00242-87:1Online publication date: 30-Dec-2024
        • (2023) AutoIoT : Automatically Updated IoT Device Identification With Semi-Supervised Learning IEEE Transactions on Mobile Computing10.1109/TMC.2022.318311822:10(5769-5786)Online publication date: 1-Oct-2023
        • (2022)Mosar: Efficiently Characterizing Both Frequent and Rare Motifs in Large GraphsApplied Sciences10.3390/app1214721012:14(7210)Online publication date: 18-Jul-2022
        • (2022)Distinguishing Between Smartphones and IoT Devices via Network TrafficIEEE Internet of Things Journal10.1109/JIOT.2021.30788799:2(1182-1196)Online publication date: 15-Jan-2022
        • (2021)Network Traffic Classification Method Supporting Unknown Protocol Detection2021 IEEE 46th Conference on Local Computer Networks (LCN)10.1109/LCN52139.2021.9525009(311-314)Online publication date: 4-Oct-2021
        • (2021)IntroductionNetwork Behavior Analysis10.1007/978-981-16-8325-1_1(1-6)Online publication date: 16-Dec-2021
        • (2020)An IoT Device Identification Method based on Semi-supervised Learning2020 16th International Conference on Network and Service Management (CNSM)10.23919/CNSM50824.2020.9269044(1-7)Online publication date: 2-Nov-2020
        • (2020)Internet of Things Traffic Characterization using flow and packet analysis2020 12th International Conference on Electronics, Computers and Artificial Intelligence (ECAI)10.1109/ECAI50035.2020.9223214(1-7)Online publication date: Jun-2020
        • (2019)New Algorithms for Counting Temporal Graph PatternSymmetry10.3390/sym1110118811:10(1188)Online publication date: 20-Sep-2019
        • (2019)Classifying IoT Devices in Smart Environments Using Network Traffic CharacteristicsIEEE Transactions on Mobile Computing10.1109/TMC.2018.286624918:8(1745-1759)Online publication date: 1-Aug-2019
        • Show More Cited By

        View Options

        Login options

        View options

        PDF

        View or Download as a PDF file.

        PDF

        eReader

        View online with eReader.

        eReader

        Figures

        Tables

        Media

        Share

        Share

        Share this Publication link

        Share on social media