Pinghui Wang,Peng Jia,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8485858

2018-01-01

Abstract:Mining user behaviors over high speed links is important for applications such as network anomaly detection. Previous work focuses on monitoring anomalies such as extremely frequent users occurring in a short timeslot such as 1 minute. Little attention has been paid to detect users with stealthy behaviors such as persistent frequent and co-occurrence behaviors over a long period of time at the timeslot granularity (e.g., 1 minute granularity level). Unlike frequent users, persistent users do not necessarily occur more frequently than other users in a single timeslot, but persist and occur in a larger number of timeslots. Due to limited computation and storage resources on routers, it is prohibitive to collect massive network traffic in a long period of time. We develop an end-to-end method for solving challenges in both long-term online traffic collection and offline user behavior analysis. To achieve this goal, we design a user embedding (UE) method to fast build compact sketches of user-occurrence events over time. To reduce the estimation error introduced by Bloom Filter, we model UE as a sampling method and propose methods to accurately mine a variety of user behaviors from user-occurrence events rebuilt from UE sketches. In addition, we introduce another new embedding method reversible UE (RUE) to detect persistent frequent behaviors when monitored users' IDs are not given in advance for offline analysis. We conduct extensive experiments on real-world traffic, and the results demonstrate that our methods significantly outperform state-of-the-art methods.

Yan Gao,Yao Zhao,Robert Schweller,Shobha Venkataraman,Yan Chen,Dawn Song,Ming-Yang Kao

DOI: https://doi.org/10.1109/iwqos.2007.376561

2007-01-01

Abstract:We consider the problem of detecting the presence of a sufficiently large number of hosts that connect to more than a certain number of unique destinations within a given time window, over high-speed networks. We call such hosts stealthy spreaders. In practice, stealthy spreaders can be symptomatic of botnet scans or moderate worm propagation. Previous techniques have focused on detecting sources with an extremely large outdegree. However, such techniques fail to detect spreaders such as bot scans in which each scanning host scans only a moderate, fixed number of destinations. In contrast, our scheme maintains a small, fixed size memory usage, and is still able to detect stealthy spreader scenarios by approximating outdegree histograms from continuous traffic. To the best of our knowledge, we are the first to study the efficient outdegree histogram estimation and stealthy spreader detection problems. Evaluation based on real Internet traffic and botnet scan events show that our scheme is highly accurate and can operate online.

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

Jianfeng Li,Jing Tao,Xiaobo Ma,Junjie Zhang,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2015.7218635

2015-01-01

Abstract:With the growing stickiness of the Internet, numerous automated programs running in terminal facilities (e.g., laptops) tend to keep closely connected to the Internet by repetitively interacting with remote services. It is of fundamental importance to study such repeating behaviors of automated programs in areas like traffic engineering and network monitoring. This paper focuses on repeating behaviors in packet arrivals that are of interest, aiming at a hierarchical characterization of packet arrivals, detection methods and quantitative metrics. To this end, we present a structure-oriented characterization of packet arrivals, which reflects the temporal structure of repeating behaviors at different scales. Based on such characterization, a repeating behavior detection method is proposed by leveraging online-learning prediction, and two novel metrics of repeating behaviors are proposed from different aspects. In addition, a denoising method is developed to enhance the noise-tolerant capability of detection and measurement in face of noises. Experimental results based on real-world traces demonstrate the effectiveness of our proposed approaches in automated program behavior detection and behavioral botnet analysis.

Yunpeng Xing,Chaoyi Lu,Baojun Liu,Haixin Duan,Junzhe Sun,Zhou Li

DOI: https://doi.org/10.1145/3646547.3689023

2024-01-01

Abstract:We present a global, large-scale measurement of Internet traffic shadowing, a less-studied yet covert format of on-path manipulation. As part of pervasive monitoring, data within packets is silently observed, retained, and then leveraged to produce additional, unsolicited requests. To depict the landscape of such behaviors, we generate a collection of decoy traffic that lures on-path exhibitors, spread them via 4,364 vantage points recruited from commercial VPN providers, and capture unsolicited requests triggered by them. We find traffic shadowing against DNS, HTTP, and TLS protocols; DNS queries to several public resolvers are most susceptible, by being observed on a wide range of Internet paths. Through hop-by-hop tracerouting, we find observers of DNS queries associated with destinations, while HTTP messages are mostly observed on the wire. User data can be retained for long, e.g., over 10 days, and can be leveraged for more than once. While a notable portion of unsolicited requests originate from addresses labeled by blocklists, we find most of them are performing reconnaissance, and we see no evidence of exploits attempted in the collected traffic.

Xun Gong,Negar Kiyavash,Nabíl Schear,Nikita Borisov

DOI: https://doi.org/10.48550/arXiv.1109.0097

2011-09-01

Abstract:Recent work in traffic analysis has shown that traffic patterns leaked through side channels can be used to recover important semantic information. For instance, attackers can find out which website, or which page on a website, a user is accessing simply by monitoring the packet size distribution. We show that traffic analysis is even a greater threat to privacy than previously thought by introducing a new attack that can be carried out remotely. In particular, we show that, to perform traffic analysis, adversaries do not need to directly observe the traffic patterns. Instead, they can gain sufficient information by sending probes from a far-off vantage point that exploits a queuing side channel in routers. To demonstrate the threat of such remote traffic analysis, we study a remote website detection attack that works against home broadband users. Because the remotely observed traffic patterns are more noisy than those obtained using previous schemes based on direct local traffic monitoring, we take a dynamic time warping (DTW) based approach to detecting fingerprints from the same website. As a new twist on website fingerprinting, we consider a website detection attack, where the attacker aims to find out whether a user browses a particular web site, and its privacy implications. We show experimentally that, although the success of the attack is highly variable, depending on the target site, for some sites very low error rates. We also show how such website detection can be used to deanonymize message board users.

Cryptography and Security

Xiaodong Zang,Jian Gong,Maoli Wang,Peng Gao,Guowei Zhang

DOI: https://doi.org/10.1016/j.jnca.2023.103603

IF: 7.574

2023-04-01

Journal of Network and Computer Applications

Abstract:Discovering and describing IP traffic behavior is becoming more and more significant for efficient network management and security monitoring. Recently, many modeling techniques have been proposed, most of which focused on properties of a single dimension, such as volume-based or spatial-based. Characterizing IP traffic behavior with individual dimension features is often insufficient as they are spatiotemporally correlated. In this paper, we demonstrate that IP traffic behavior can be profiled from the perspective of end users’ access relationship. We find that groups of IPs have similar behavior traits, and with insights from the identified behavior profiles, we can discover malicious traffic behavior in the overwhelming measurement data. To this end, firstly, we extract a collection of features to profile traffic behavior from the dimension of temporal, spatial, category, and intensity. Then, we characterize and model the rhythmic behavior, the cyclical behavior, the access stable behavior, the service diversity behavior, and the hotspot behavior. Finally, we use the open-source dataset, synthetic data, and the real Internet Netflow data collected from the China Education Research Network backbone (CERNET) to empirically validate our proposal. Extensive results demonstrate that the applications of derived traffic patterns can achieve fine-grained traffic monitoring.

computer science, interdisciplinary applications, software engineering, hardware & architecture

Rafail Kartsioukas,Rajat Tandon,Zheng Gao,Jelena Mirkovic,Michalis Kallitsis,Stilian Stoev

2023-06-22

Abstract:Network operators and system administrators are increasingly overwhelmed with incessant cyber-security threats ranging from malicious network reconnaissance to attacks such as distributed denial of service and data breaches. A large number of these attacks could be prevented if the network operators were better equipped with threat intelligence information that would allow them to block or throttle nefarious scanning activities. Network telescopes or "darknets" offer a unique window into observing Internet-wide scanners and other malicious entities, and they could offer early warning signals to operators that would be critical for infrastructure protection and/or attack mitigation. A network telescope consists of unused or "dark" IP spaces that serve no users, and solely passively observes any Internet traffic destined to the "telescope sensor" in an attempt to record ubiquitous network scanners, malware that forage for vulnerable devices, and other dubious activities. Hence, monitoring network telescopes for timely detection of coordinated and heavy scanning activities is an important, albeit challenging, task. The challenges mainly arise due to the non-stationarity and the dynamic nature of Internet traffic and, more importantly, the fact that one needs to monitor high-dimensional signals (e.g., all TCP/UDP ports) to search for "sparse" anomalies. We propose statistical methods to address both challenges in an efficient and "online" manner; our work is validated both with synthetic data as well as real-world data from a large network telescope.

Cryptography and Security,Applications,Methodology

Chuwen Zhang,Boyang Zhou,Zerui Tian,Liang Cheng,Yuxi Liu,Huayu Zhang,Song Chen,Ying Wan,Wenquan Xu,Tian Pan,Yang Xu,Yi Wang,Hailong Zhu,Bin Liu

DOI: https://doi.org/10.1109/ICNP55882.2022.9940335

2022-01-01

Abstract:Time-Sensitive Networking (TSN) is proposed in recent years to satisfy the strict performance requirements of time-sensitive traffic in a growing number of emerging applications. Even though several traffic scheduling algorithms have been standardized for TSN to pursue this goal, time-sensitive flows may not be forwarded as planned and thus fail to achieve the expected performance in real networks. The fundamental cause lies in the fact that static offline planning cannot adapt to the intrinsic dynamic factors in TSN (e.g., time-synchronization error) at runtime. Hence, next-generation TSN will benefit from a closed-loop design where a performance monitoring system provides feedback of real-time packet-forwarding information. In our research, TSN-Peeper, a light-weight, fast-response and full-coverage TSN performance monitoring system, is designed and evaluated. This paper describes its architecture design and data collection mechanisms that enable timely identification and collection of packet-forwarding misbehavior at low-cost in TSN. TSN-Peeper offloads the misbehavior identification in the switch to relieve the burden on the controller and network bandwidth. To reduce the interruption frequency to the controller, it uses probe packets to collect misbehavior information in aggregation with optimized path planning. To realize controllable reporting delays, it optimizes the sending moments of probe packets according to the flow settings. Experimental results verify that TSN-Peeper offers fast response with low cost while providing full coverage and being scalable.

Fei Wang,Hailong Wang,Xiaofeng Wang,Jinshu Su

DOI: https://doi.org/10.1016/j.mcm.2011.02.025

2011-01-01

Mathematical and Computer Modelling

Abstract:Detection of distributed denial of service (DDoS) attacks has been a challenging problem for network security. Most of the existing works take into account the anomaly features of the traffic caused by DDoS. However, these detection methods suffer from either less generality or high computational and memory costs in detecting subtle DDoS attacks. In this paper, we first present a model for DDoS attacks with quantitative measurements. Based on this model, we find that there are two factors that have a severe influence on the deviation of traffic features. In view of these two factors, the DDoS attack traffic observed by monitors can be trivial, leading to the subtle DDoS attacks which are difficult to detect. To detect the subtle DDoS anomalies at monitors close to the attack sources, we propose a novel multistage DDoS detection framework that consists of a NTS (Network Traffic State) prediction, a fine-grained singularity detection and a malicious address extraction engine. We also briefly introduced how to distribute our detection framework to enhance the performance of detecting world-wide DDoS attacks. Moreover, the prototype system is implemented and evaluated with real network traces from our campus network and testbed. The results show that our method can detect various DDoS attacks efficiently even though the attack rate is low. Our method can extract malicious IPs for attack reaction with records for a short period, and multiple monitors distributed in the network can fuse the results of extraction seamlessly to improve the accuracy of detection

Jianhua Yang,Lixin Wang

DOI: https://doi.org/10.3390/electronics13163258

IF: 2.9

2024-08-18

Electronics

Abstract:In the past three decades, stepping-stone intrusion has become a professional and primary way used by intruders to launch their attacks since they can be protected behind a long TCP connection chain. Many different algorithms have been proposed to detect stepping-stone intrusion since 1995. But most algorithms cannot resist intruders' session manipulation. In this paper, we propose a novel approach using the distribution of round-trip time (RTT) of network traffic to detect stepping-stone intrusion. This approach can resist intruders' chaff-perturbation since the round-trip time of network packets can fairly be affected by chaffed packets. The ratio between the standard deviation of the RTTs between Send and Echo packets and the standard deviation of the RTTs between Send and Ack packets can be used to predict if a stepping-stone intrusion exists. The closer to 0 the ratio, the more suspicious a stepping-stone intrusion.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xingang Shi,Dah-Ming Chiu,John C. S. Lui

DOI: https://doi.org/10.1016/j.comnet.2009.12.003

IF: 5.493

2009-01-01

Computer Networks

Abstract:Flow level information is important for many applications in network measurement and analysis. In this work, we tackle the ''Top Spreaders'' and ''Top Scanners'' problems, where hosts that are spreading the largest numbers of flows, especially small flows, must be efficiently and accurately identified. The identification of these top users can be very helpful in network management, traffic engineering, application behavior analysis, and anomaly detection. We propose novel streaming algorithms and a ''Filter-Tracker-Digester'' framework to catch the top spreaders and scanners online. Our framework combines sampling and streaming algorithms, as well as deterministic and randomized algorithms, in such a way that they can effectively help each other to improve accuracy while reducing memory usage and processing time. To our knowledge, we are the first to tackle the ''Top Scanners'' problem in a streaming way. We address several challenges, namely: traffic scale, skewness, speed, memory usage, and result accuracy. The performance bounds of our algorithms are derived analytically, and are also evaluated by both real and synthetic traces, where we show our algorithm can achieve accuracy and speed of at least an order of magnitude higher than existing approaches.

Dah Ming Chiu,Xingang Shi

2011-01-01

Abstract:The scale and complexity of today's networks are increasing at a staggering pace, and so are the characteristics of data traffic and diverse applications or services in the networks. Their interdependencies also become more and more complicated, which ask for advanced network traffic measurement and analysis techniques. Besides packet level and flow level statistics, it is also important to monitor and understand the behavior of network users and applications, from the perspective of how they communicate with each other. For example, a popular server may attract a lot of connections from interested users; P2P peers often form clusters with intensive communications with each other; Botnet zombies receive regular commands from their botmaster and they may join a malicious campaign later to spread out a mass of spam emails or launch a DDoS attack. Such high level communication patterns as massive concurrent connections or causality of events are often useful behavior signatures of certain applications, or act as indications of anomaly. They can be very helpful in network management, traffic engineering, application behavior analysis, and anomaly detection. In this thesis, we study three interesting and useful communication patterns, including top spreaders, top scanners, and flow correlations. They have practical usage, especially in network management and anomaly detection. However, there is very little support from the network itself for high quality measurement of such non-trivial statistics, and the ever-increasing link speed and traffic volume have brought even greater challenges to our measurement and analysis. We take the approach of data streaming algorithms. First, we propose a general scheme called multiplexed sketches to efficiently estimate statistics of a large number of streams. Then we design appropriate algorithms that can accompany the multiplexed sketches to efficiently track each of the three communication patterns we have proposed. Particularly, we design a general "filter-tracker-digester" framework, where the filter provides a rough statistics estimation, the tracker tracks the IDs of potential candidate spreaders or scanners, and the digester is implemented as multiplexed sketches for accurate statistics estimation. Several challenges are addressed in our design, including traffic scale, skewness, speed, memory usage, and result accuracy. The performance of our algorithms is analyzed both mathematically and experimentally. We show they can achieve accuracy and speed of at least an order of magnitude higher than alternative approaches.

Zhichun Li,Yan Gao,Yan Chen

2005-01-01

Abstract:Traffic anomalies and attacks are commonplace in to- day's networks, and identifying them rapidly and ac- curately is critical for large networks. With the rapid growth of network bandwidth and fast emergence of new attacks/worms, existing network intrusion detection sys- tems (IDS) are insufficient for the following two reasons. First, they are mostly host-based or located on low-end routers, and not scalable to high-speed networks. How- ever, it is crucial to identify fast propagation of worms in their early phases, which can only possibly be achieved by detection at high speed edge/backbone routers instead of at end hosts. Unfortunately, the existing schemes are not scalable to the link speeds and number of flows for high-speed networks. According to a recent research agenda (7) by DARPA, detection on edge networks is par- ticularly critical, powerful and efficient (without deploy- ing IDSs on all the edge hosts). Second, most of the existing approaches are signature based, which cannot detect unknown attacks. Statistical IDSs are therefore proposed to detect anomalies. Cur- rent systems are mostly designed to detect based on the overall traffic, thus they tend to be inaccurate or can- not find real attack flows for mitigation even when spot- ting anomalies. For instance, the state-of-the-art stateless router-based SYN flooding detection techniques, Change Point Monitoring (CPM), use the statistical behavior of SYN-FIN, or SYN-SYN/ACK packet pairs based on over- all traffic for detection (5). It detects well with pure SYN

Zhi Jin

2003-01-01

Abstract:This paper proposes a frame for Internet users to characterize Internet link and forecasts the link status and network traffic in the near future.The methods of pathchar and packet pair are used to measure the latency of hops along a link and to calculate the bandwidth. TCPdump is introduced to collect the traffic of local LAN and build models for the traffic.An Internet user could predict the future status based on the link bandwidth and the local traffic, and then control his own network behavior.To improve the accuracy of the estimation of bandwidth, the extreme value theory (EVT)is deployed.The fractional autoregressive integrated moving average (FARIMA)models are used to predict network traffic and future link status.The measurements and the prediction data show that the proposed frame is correct and feasible.

Yun Mao,Kang Chen,Dongsheng Wang,Weimin Zheng

DOI: https://doi.org/10.1145/502932.502942

2001-01-01

Abstract:Web traffic has been increasing and evolving rapidly in recent years. It is important to measure the volume and characteristic of such dominant traffic to understand large-scale user access pattern and analyze performance of Web applications. Among the common methods of Web measurements, the passive way using packet monitoring is more advantageous since it provides comprehensive information and is transparent to end-users. However, the throughput of current packet monitoring system is limited by the bandwidth of network adapters. Computational capacity and buffer size are also potential performance bottlenecks for monitoring high-speed links. This paper proposes a cluster-based online monitoring system, which generates rich logs by packet sniffing for Web analysis in a cluster environment. Powered by cluster computing technologies, the system achieves high performance and availability. Other techniques, such as online reconstruction in memory and kernel packet filter, are also adopted to improve the system performance. The experimental results indicate that it is feasible to trace in high-speed links with the cluster-based system.

Zhiliang Wang,Changping Zhou,Yang Yu,Xingang Shi,Xia Yin,Jiangyuan Yao

DOI: https://doi.org/10.1007/978-3-030-00012-7_5

2018-01-01

Abstract:Heavy Hitters refer to the set of flows that represent a significantly large proportion of the link capacity or of the active traffic. Identifying Heavy Hitters is of particular importance in both network management and security applications. Traditional methods are focusing on sampling in the middle box and analyzing those packets using streaming algorithms. The paradigm of Software Defined Network (SDN) simplifies the work of flow counting. However, continuously monitoring the network will introduce overhead, which needs to be considered as a tradeoff between accurate measurement in real-time. In this paper, We propose a novel method that stamps each suspicious flow with a weight based on an online learning algorithm. The granularity of measurement is dynamically changed according to the importance of each flow. We take advantage of history flows to make the procedure of finding a heavy hitter faster so that applications can make decisions instantly. Using real-world data, we show that our online learning method can detect heavy hitters faster with less overhead and the same accuracy.

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Peng Jia,Pinghui Wang,Yuchao Zhang,Xiangliang Zhang,Jing Tao,Jianwei Ding,Xiaohong Guan,Don Towsley

DOI: https://doi.org/10.1109/tkde.2020.2975625

IF: 9.235

2022-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Online monitoring user cardinalities in graph streams is fundamental for many applications such as anomaly detection. These graph streams may contain edge duplicates and have a large number of user-itempairs, which makes it infeasible to exactly compute user cardinalities due to limited computational and memory resources. Existing methods are designed to approximately estimate user cardinalities, but their accuracy highly depends on complex parameters and they cannot provide anytime-available estimation. To address these problems, we develop novel bit/register sharing algorithms, which use a bit/register array to build a compact sketch of all users' connected items. Our algorithms exploit the dynamic properties of the bit/register arrays (e.g., the fraction of zero bits in the bit array) to significantly improve the estimation accuracy, and have low time complexity O(1) to update the estimations for a new user-item pair. In addition, our algorithms are simple and easy to use, without requirements to tune any parameter. Furthermore, we extend our methods to detect super spreaders with large cardinalities in real-time. We evaluate the performance of our methods on real-world datasets. The experimental results demonstrate that our methods are several times more accurate and faster than state-of-the-art methods using the same amount of memory.

Robert Schweller,Zhichun Li,Yan Chen,Yan Gao,Ashish Gupta,Yin Zhang,Peter Dinda,Ming-Yang Kao,Gokhan Memik

DOI: https://doi.org/10.1109/INFOCOM.2006.203

2006-01-01

Abstract:A key function for network traffic monitoring and analysis is the ability to perform aggregate queries over multiple data streams. Change detection is an important primitive which can be extended to construct many aggregate queries. The recently proposed sketches [1] are among the very few that can detect heavy changes online for high speed links, and thus support various aggregate queries in both temporal and spatial domains. However, it does not preserve the keys (e.g., source IP address) of flows, making it difficult to reconstruct the desired set of anomalous keys. In an earlier abstract we proposed a framework for a reversible sketch data structure that offers hope for efficient extraction of keys [2]. However, this scheme is only able to detect a single heavy change key and places restrictions on the statistical properties of the key space.To address these challenges, we propose an efficient reverse hashing scheme to infer the keys of culprit flows from reversible sketches. There are two phases. The first operates online, recording the packet stream in a compact representation with negligible extra memory and few extra memory accesses. Our prototype single FPGA board implementation can achieve a throughput of over 16 Gbps for 40-byte-packet streams (the worst case). The second phase identifies heavy changes and their keys from the representation in nearly real time. We evaluate our scheme using traces from large edge routers with OC-12 or higher links. Both the analytical and experimental results show that we are able to achieve online traffic monitoring and accurate change/intrusion detection over massive data streams on high speed links, all in a manner that scales to large key space size. To the best of our knowledge, our system is the first to achieve these properties simultaneously.