Yunpeng Guo,Yan Liu,Junyong Luo

DOI: https://doi.org/10.1007/978-981-10-0457-5_10

2016-01-01

Abstract:As large numbers of user information on various network services are becoming valuable resources for social computing, how to associate user information scattered in a variety of services turns to one of the key issues of user identity mining. First this paper outlines the difficulties of dealing with account association, then describes the basis of account association method. After that, this paper sums up account association methods mainly from five aspects which are user naming conventions, user profiles, user writing styles, user online behavior, and user community relationship. Finally, this paper points out the development direction and prospects of account association.

Tao Qin,Wei Li,Chenxu Wang,Xingjun Zhang

DOI: https://doi.org/10.1587/transcom.e97.b.730

2014-01-01

IEICE Transactions on Communications

Abstract:With the ever-growing prevalence of web 2.0, users can access information and resources easily and ubiquitously. It becomes increasingly important to understand the characteristics of user's complex behavior for efficient network management and security monitoring. In this paper, we develop a novel method to visualize and measure user's web-communication-behavior character in large-scale networks. First, we employ the active and passive monitoring methods to collect more than 20,000 IP addresses providing web services, which are divided into 12 types according to the content they provide, e.g. News, music, movie and etc, and then the IP address library is established with elements as (service(type), IPaddress). User's behaviors are complex as they stay in multiple service types during any specific time period, we propose the behavior spectrum to model this kind of behavior characteristics in an easily understandable way. Secondly, two kinds of user's behavior characters are analyzed: the character at particular time instants and the dynamic changing characters among continuous time points. We then employ Renyi cross entropy to classify the users into different groups with the expectation that users in the same groups have similar behavior profiles. Finally, we demonstrated the application of behavior spectrum in profiling network traffic patterns and finding illegal users. The efficiency and correctness of the proposed methods are verified by the experimental results using the actual traffic traces collected from the Northwest Regional Center of China Education and Research Network (CERNET).

Hu Zhongshun,Chen fei,Xie Chenhao,Xiao Yanghua

DOI: https://doi.org/10.2991/icmit-16.2016.35

2016-01-01

Abstract:Internet users tend to have a number of different types of Internet accounts, and yet there does not exist a perfect Internet account association approach. The telecom network operators use DPI technology can detect the part of user's Internet records, which makes it possible to realize the connection of the Internet account on the operator side. This paper illustrates the significance of extraction, connection of Internet accounts from the DPI data. We combine the edit distance and Jaccard coefficient two string similarity algorithms to propose a string similarity method which is suitable for calculating the similarity of the account information and use classification algorithm to analyze the similarity of the account from the user's behavior, and find the correlation between the accounts. On the basis of the account associated, we provide more detailed portrait of users. Finally, we show that the proposed method can effectively extract the accounts from DPI data and associate accounts experiment on China Telecom data.

Tao Qin,Dan Zhao,Min Zhu,Wei Li

DOI: https://doi.org/10.1109/ICCW.2014.6881276

2014-01-01

Abstract:With the quick development of the internet, it benefits a lot to our daily lives from the fast growing of applications. But on the other hand, time and energy of a specific user are limited and it is very difficult for him to find the interesting information from the massive data. In this paper, we focus on how to analyze the user's combined behavior characteristics from numbers of applications for obtaining his insightful interests and provide high quality of knowledge pushing services. Firstly, we employ the passive and the active measurement methods to extract the users' IDs of different applications. Secondly, we develop an ID association method named as “snow ball rolling” to mine the IDs belong to the specific physical user. Based on the mining results, we can combine the user's behavior in different applications together, which lay a solid foundation for insightful interest mining and efficiency knowledge pushing. Finally, experiment results based on datasets collected from the actual network show the efficiency and accuracy of our methods.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Min Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.10.008

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic pattern characteristics monitoring is useful for abnormal behavior detection and network management. In this paper, we develop a framework for connection degree calculation and measurement in high-speed networks. The bi-directional traffic flow model is employed to aggregate traffic packets, which can reduce the number of flow records and capture user's alternation behavior characteristics. The first order connection degree and joint correlation degree are selected as the features to capture the characteristics of traffic profiles. To perform careful traffic inspection and attack detection, not only the abnormal changes of a single traffic feature but also the correlations between the features are analyzed in the new framework. First, the symmetry of in and out connection degrees is analyzed. And we found that incomplete flows are an important information source for abnormal behavior detection. Second, joint correlation degree can characterize the user's communication profiles and their behavior dynamics, which are employed to perform abnormal detection using measurements based on Renyi cross entropy. Finally, the reversible degree sketch is employed for querying abnormal traffic pattern sources for real-time traffic management. The experimental results based on actual traffic traces collected from Northwest Regional Center of CERNET (China Education and Research Network) show the efficiency of the proposed method. The method based on Renyi entropy can detect abnormal changing points correctly. FNR of the reversible sketch for locating abnormal sources is below 4% and time complexity is constant and less than 4s, which is critical for real-time traffic monitoring.

Faqiang Sun,Li Zhao,Bo Zhou,Yong Wang

DOI: https://doi.org/10.1109/iccia49625.2020.00036

2020-06-01

Abstract:Network operators often need a clear visibility of the mobile APPs and their user scales running in the network traffic. This is critical for network management and network security. Analysis of the network traffic using the extracted APP features and user fingerprints is helpful for effective network operations, management, and security monitoring of LANs, MANs, and WANs. In China, the number of mobile APP users continues to increase, and the proportion of Internet users using mobile APPs to access the Internet far exceeds that of computers, making this task significant and difficult. The traditional methods are mainly APP identifications or identifications of specific APP users, which cannot satisfy the requirements of globally monitoring of APPs and their user scales at the same time. Especially when many users share the same network IPs (4G, home broadband, NAT), this work becomes challenging and time-consuming. This paper proposes an automatic fingerprint extraction approach of mobile APP users in network traffic. By analyzing the plaintext of the HTTP requests initiated by APPs in training datasets, we extract the APPs’ features and the users’ fingerprints simultaneously. Both of them are the combinations of strings which are distinguishable of APPs and their users in the network traffic. The proposed method is evaluated with the top 49 popular APPs in Huawei App Store. The experimental results show that the recalls of the extractions of APPs’ features and users’ fingerprints are respectively 77.5% and 55.1% in total.

王科,胡海波,汪小帆

DOI: https://doi.org/10.3969/j.issn.1672-3813.2008.04.006

2008-01-01

Abstract:To explore the communication pattern of individuals in social networks,by the log data we study the structural properties of an email network in a Chinese university.Two kinds of networks are constructed: unmutual network and mutual network.Both networks have a strong degree-strength correlation but neither of them has a significant assortative or disassortative property.Moreover,we find that there is a rich-club phenomenon among the high-strength nodes but not among the large-degree nodes.Finally,we detect the community structure of the weighted mutual network by weighted fitness algorithm and find that the cumulative distribution of community size follows power law.The results provide empirical foundation for model-building and simulations.

Xuan Hu,Banghuai Li,Yang Zhang,Changling Zhou,Hao Ma

DOI: https://doi.org/10.1145/2935663.2935672

2016-01-01

Abstract:While email plays a growingly important role on the Internet, we are faced with more severe challenges brought by compromised email accounts, especially for the administrators of institutional email service providers. Inspired by the previous experience on spam filtering and compromised accounts detection, we propose several criteria, like Success Outdegree Proportion, Reverse Pagerank, Recipient Clustering Coefficient and Legitimate Recipient Proportion, for compromised email accounts detection from the perspective of graph topology in this paper. Specifically, several widely used social network analysis metrics are used and adapted according to the characteristics of mail log analysis. We evaluate our methods on a dataset constructed by mining the one month (30 days) mail log from an university with 118,617 local users and 11,460,399 mail log entries. The experimental results demonstrate that our methods achieve very positive performance, and we also prove that these methods can be efficiently applied on even larger datasets.

Jiabin Li,Zhi Xue

DOI: https://doi.org/10.2991/iccia-17.2017.5

2017-01-01

Abstract:Big data analysis technology is getting more and more popular among various enterprises, government departments and other institutions. With the help of huge amount of data, network users' behaviour in cyber space can be vividly described. This paper first introduces the status of research on user profile, then puts forward a new method, using big data technology to analysis users' network datagram; then the paper builds up a system to wrap the data storage and search module, the profiling module and visualizing module all together. The paper aims to provide some insights for better governance, enterprise operation and security management.

Yi Wen,Xingshu Chen,Xuemei Zeng,Wei Wang

DOI: https://doi.org/10.1038/s41598-020-63191-5

2020-04-29

Abstract:E-mail has become the main carrier of spreading malicious software and been widely used for phishing, even high-level persistent threats. The e-mail accounts with high social reputation are primary targets to be attacked and utilized by attackers, suffering a lot of probing attacks for a long time. In this paper, in order to understand the probing pattern of the e-mail account attacks, we analyse the log of email account probing captured in the campus network based on graph mining. By analysing characteristics of the dataset in different dimensions, we find a kind of e-mail account probing attack and give it a new definition. Based on the analysis results, its probing pattern is figured out. From the point of probing groups and individuals, we find definitely opposite characteristics of the attack. Owing to the probing pattern and its characteristics, attacks can escape from the detection of security devices, which has a harmful effect on e-mail users and administrators. The analysis results of this paper provide support for the detection and defence of such distributed attacks.

LIU Shu-yu,LI Zhi-tang,TU Hao,GUO Zheng-biao,XIE Da

DOI: https://doi.org/10.3969/j.issn.1001-7445.2011.z1.018

2011-01-01

Abstract:Based on the statistical characteristics analysis of three email client behaviors—WebMail login,sending email with ESMTP protocol and receiving email with POP3 protocol,the number of ESMTP authentication and number of POP3 authentication were extracted and an email client behavior model was built.In this paper,an anomaly email account detection method is introduced.This method has been applied in the mail system of Huazhong University of Science and Technology(HUST).The results show that this method can quickly detect abnormal email account with high efficiency.

Jia Liu,Peng Gao,Jian Yuan,Xuetao Du

DOI: https://doi.org/10.1155/2010/375942

2010-01-01

Journal of Probability and Statistics

Abstract:Mechanisms to extract the characteristics of network traffic play a significant role in traffic monitoring, offering helpful information for network management and control. In this paper, a method based on Random Matrix Theory (RMT) and Principal Components Analysis (PCA) is proposed for monitoring and analyzing large-scale traffic patterns in the Internet. Besides the analysis of the largest eigenvalue in RMT, useful information is also extracted from small eigenvalues by a method based on PCA. And then an appropriate approach is put forward to select some observation points on the base of the eigen analysis. Finally, some experiments about peer-to-peer traffic pattern recognition and backbone aggregate flow estimation are constructed. The simulation results show that using about 10% of nodes as observation points, our method can monitor and extract key information about Internet traffic patterns.

Weisong He,Guangmin Hu

DOI: https://doi.org/10.1109/icccas.2009.5250513

2009-01-01

Abstract:One difficult task when managing large-scale network traffic flows is that the network operators must deal with a very large number of flow records. In this paper, we introduce a new defined TCP flags information analysis method, proportion-based analysis, which is a better way to narrow the analyzable flow records. We compute the percentage of different type of TCP flags among total traffic flows and consider these as multivariate time series over a duration of time. Furthermore, we may obtain frequent pattern of different type of TCP flags using multivariate time series association rule mining method. Experimental results with backbone network (Internet2) data confirmed our method.

Zhibo Wang,Zhongyuan Li,Jiawen Sun,Qi Yin,Lu Gao,Xiaohui Cui

DOI: https://doi.org/10.14257/ijsia.2017.11.1.06

2017-01-01

International Journal of Security and Its Applications

Abstract:Nowadays, Internet is fulfilled by huge-scale personal information, and there exists a phenomenon that these kinds of personal information are not distributed in the Internet randomly, but archived in several social media under a certain rule, which is said the different characters of social media. It is rational to infer to the conclusion that we could not learn the every aspect of an individual through only one social medium he/she using, and only if through multi-social media could we learn the more integrated information of individuals. This thesis proposes an approach for user identity resolution based on user's social network and user's behavior patterns. After collecting available user's network and personal information, the approach accomplishes this task that analyze and compare these data, including similarity measure between nodes of networks and string similarity measure, and finally determine whether they are match with each other according to the calculation results. The experimental results show that the method improved the recognition accuracy.

Zhaoli Liu,Tao Qin,Xiaohong Guan,Xiaoqiang Niu,Tao Yang

DOI: https://doi.org/10.1109/trustcom.2015.497

2015-01-01

Abstract:The quickly development of many online applications benefit our daily life. But on the other hand, user usually holds several aliases in different online applications. The aliases across multi-online applications detection are becoming more and more important for E-marketing and user's behavior monitoring. In this paper, we propose a method for detecting aliases across multi-online applications. Firstly, we employ the active and positive methods to collect the user's alias and behavior information from several famous applications, including Email, RenRen and etc. Then we analyzed the user's behavior characteristics in specific applications, and some interesting findings are proposed. Finally, we perform the alias detection based on user's behavior profiles, including the similarity of the ID and the number of appearance in specific IP address. According to user's behavior habit, the aliases belong to the same physical users are usually similar with each other. Furthermore, one specific user usually use the same computer to login into different applications, thus the IP addresses used for accessing those applications usually same with each other. Based on those assumptions we employ the Bayesian Network to perform alias detection. Empirical results based on actual data verify the efficiency and correctness of the proposed methods.

Tao Qin,Xiaohong Guan,Chenxu Wang,Zhaoli Liu

DOI: https://doi.org/10.1109/jsyst.2014.2350019

IF: 4.802

2015-01-01

IEEE Systems Journal

Abstract:Mastering user's behavior character is important for efficient network management and security monitoring. In this paper, we develop a novel framework named as multilevel user cluster mining (MUCM) to measure user's behavior similarity under different network prefix levels. Focusing on aggregated traffic behavior under different network prefixes cannot only reduce the number of traffic flows but also reveal detailed patterns for a group of users sharing similar behaviors. First, we employ the bidirectional flow and bipartite graphs to model network traffic characteristics in large-scale networks. Four traffic features are then extracted to characterize the user's behavior profiles. Second, an efficient method with adjustable weight factors is employed to calculate the user's behavior similarity, and entropy gain is applied to select the weight factor adaptively. Using the behavior similarity metrics, a simple clustering algorithm based on k-means is employed to perform user clustering based on behavior profiles. Finally, we examine the applications of behavior clustering in profiling network traffic patterns and detecting anomalous behaviors. The efficiency of our methods is verified with extensive experiments using actual traffic traces collected from the northwest region center of China Education and Research Network (CERNET), and the cluster results can be used for flow control and traffic security monitoring.

Pinghui Wang,Xiaohong Guan,Tao Qin,Qiuzhen Huang

DOI: https://doi.org/10.1109/tifs.2011.2123094

IF: 7.231

2011-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Due to the massive amount of data in high-speed network traffic and the limit on processing capability, it is a great challenge to accurately measure and monitor network traffic over high-speed links online. A new data structure is presented in this paper for locating the hosts associated with large connection degrees or significant changes in connection degrees based on the reversible connection degree sketch to monitor anomalous network traffic. The reversible connection degree sketch builds a compact summary of host connection degrees efficiently and accurately. For each packet coming, it only needs to set several bits selected in a bit array by a group of hash functions. These hash functions are designed based on the Chinese Remainder Theorem so that the in-degree or out-degree associated with a given host can be accurately estimated. With this new data structure, we develop a new reverse sketch method for locating abnormal hosts. Although the reversible connection degree sketch does not preserve any host address information, we can analytically reconstruct the host addresses associated with large connection degrees or significant changes in connection degrees by a simple calculation purely based on the characteristics of the hash functions. Furthermore, a reinforced reversible connection degree sketch, the double connection degree sketch, is developed to reduce false positives which are commonly encountered in the sketch-based methods. A traffic monitoring system based on this double connection degree is developed to detect and classify the abnormal hosts associated with large connection degrees or significant changes in connection degrees. The experiments are conducted based on the actual network traffic and the testing results show that our method is accurate and efficient.

SHI Quan,XIAO Yang-hua,WEN Wen-hao,ZHU Qian-qian,WANG Heng-shan

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.01.041

2011-01-01

Abstract:Extracting large-scale social networks from massive heterogeneous Web data is of both theoretical and practical significance. However,one of definite features of this task was large-scale computing, which remains to be a great challenge that would be addressed.Cloud computing platform had provided us new opportunity to overcome this challenge.Hence,efforts would be dedicated to investigate the methods to extract large social network from Web data by cloud computing techniques.Specifically,proposed a Mapreduce-based approach to extract common interest network from DIGG. The experimental results show that the proposed method has good scalability and extensibility,having the capability to extract large-scale social network of high quality from heterogeneous Web data sources.

Yong Wang -,Lin Zuo,Zhiguang Qin

2011-01-01

Journal of Computational Information Systems

Abstract:Understanding users' online behavior and interests has gained significant attention in recent years. This is mainly due to the availability of large-scale datasets from popular online social networking websites. In this paper, we divert from this 'traditional' avenue and apply a network-based approach in an attempt to reveal users' online behavior. In particular, we use a three-month long DNS-level trace generated by more than 45,000 users of a university access network. To analyze this trace, we design and implement a system capable of automatically tagging user access interests based on the corresponding domain names. We then provide, to the best of our knowledge, the first of its kind insights at such a large scale about the temporal and content-level user access properties common for large groups of users. Copyright © 2011 Binary Information Press.

Zhibo Wang,Chongyi Zhou,Jiawen Sun,Shuai Wang,Hui Zhan,Ying Yu,Weiping Zhu,Xiaohui Cui

DOI: https://doi.org/10.1109/ccbd.2015.28

2017-01-01

Abstract:People usually use various social media for different purposes. Personal information are not distributed in the Internet randomly, but archived in several social media under a certain rule, which is called the different characters of social media. When sources of complementary information are integrated, the fused social data of people will have broad prospect in the area of recommendation system and security. A key problem for social data fusion is to discover multiple accounts of a single person across different social media. In this paper, we propose a methodology for user identity resolution based on user's basic information and social network. The approach accomplishes this task by measuring the similarity of vertices. Finally, we use calculation results to evaluate these methods' accuracy rate.