Xiaodong Zang,Jian Gong,Siyi Huang,Xiaoyan Hu,Yun Yang

DOI: https://doi.org/10.1007/s42045-019-00023-9

2019-01-01

CCF Transactions on Networking

Abstract:The discovery and description of the IP traffic behavior is of great significance for both network operation management and network security monitoring. Researches demonstrate that there are some similarities of the traffic behavior among different IPs, hence, they can be clustered based on the behavior similarity. These similar traffic behaviors can be depicted by a specific behavior pattern called IP address role in our work. Towards this end, a unidirectional IP flow record is used to represent an independent IP activity. The traffic behavior metrics are defined in four dimensions including the duration time, the peer address, the application types and the number of packets and bytes contained in the flow, which corresponds to temporal dimension, spatial dimension, category dimension and intensity dimension, respectively. Nine single-attribute and thirty-nine dual-attribute metrics are extracted from four dimensions to compose the IP address traffic characteristic spectrum, which is used to profile the behavior of all IPs in the observed network and provide the data for the behavior description of each class of IP. These classes are established by a characteristic spectrum matched IP address role mining algorithm designed in this paper. NetFlow data collected from some border routers of China Education Research Network backbone (CERNET) is used to verify the method. Experimental results demonstrate that our approach can be applied to anomaly behavior detection and mainstream behavioral habits analysis.

Tao Qin,Wei Li,Chenxu Wang,Xingjun Zhang

DOI: https://doi.org/10.1587/transcom.e97.b.730

2014-01-01

IEICE Transactions on Communications

Abstract:With the ever-growing prevalence of web 2.0, users can access information and resources easily and ubiquitously. It becomes increasingly important to understand the characteristics of user's complex behavior for efficient network management and security monitoring. In this paper, we develop a novel method to visualize and measure user's web-communication-behavior character in large-scale networks. First, we employ the active and passive monitoring methods to collect more than 20,000 IP addresses providing web services, which are divided into 12 types according to the content they provide, e.g. News, music, movie and etc, and then the IP address library is established with elements as (service(type), IPaddress). User's behaviors are complex as they stay in multiple service types during any specific time period, we propose the behavior spectrum to model this kind of behavior characteristics in an easily understandable way. Secondly, two kinds of user's behavior characters are analyzed: the character at particular time instants and the dynamic changing characters among continuous time points. We then employ Renyi cross entropy to classify the users into different groups with the expectation that users in the same groups have similar behavior profiles. Finally, we demonstrated the application of behavior spectrum in profiling network traffic patterns and finding illegal users. The efficiency and correctness of the proposed methods are verified by the experimental results using the actual traffic traces collected from the Northwest Regional Center of China Education and Research Network (CERNET).

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Yinxin Wan,Kuai Xu,Feng Wang,Guoliang Xue

DOI: https://doi.org/10.1109/tnse.2020.3026961

IF: 6.6

2021-01-01

IEEE Transactions on Network Science and Engineering

Abstract:As connected Internet-of-things (IoT) devices in smart homes, smart cities, and smart industries continue to grow in size and complexity, managing and securing them in distributed edge networks have become daunting but crucial tasks. The recent spate of cyber attacks exploiting the vulnerabilities and insufficient security management of IoT devices have highlighted the urgency and challenges for securing billions of IoT devices and applications. As a first step towards understanding and mitigating diverse security threats of IoT devices, this paper develops an IoT traffic measurement framework on programmable and intelligent edge routers to automatically collect incoming, outgoing, and internal network traffic of IoT devices in edge networks, and to build multidimensional behavioral profiles which characterize who, when, what, and why on the behavioral patterns of IoT devices based on continuously collected traffic data. To the best of our knowledge, this paper is the first effort to shed light on the IP-spatial, temporal, entropy, and cloud service patterns of IoT devices in edge networks, and to explore these multidimensional behavioral fingerprints for IoT device classification, anomaly traffic detection, and network security monitoring for vulnerable and resource-constrained IoT devices on the Internet.

Kuai Xu,Feng Wang,Lin Gu

DOI: https://doi.org/10.1109/TNET.2013.2264634

2014-01-01

Abstract:As Internet traffic continues to grow in size and complexity, it has become an increasingly challenging task to understand behavior patterns of end-hosts and network applications. This paper presents a novel approach based on behavioral graph analysis to study the behavior similarity of Internet end-hosts. Specifically, we use bipartite graphs to model host communications from network traffic and build one-mode projections of bipartite graphs for discovering social-behavior similarity of end-hosts. By applying simple and efficient clustering algorithms on the similarity matrices and clustering coefficient of one-mode projection graphs, we perform network-aware clustering of end-hosts in the same network prefixes into different end-host behavior clusters and discover inherent clustered groups of Internet applications. Our experiment results based on real datasets show that end-host and application behavior clusters exhibit distinct traffic characteristics that provide improved interpretations on Internet traffic. Finally, we demonstrate the practical benefits of exploring behavior similarity in profiling network behaviors, discovering emerging network applications, and detecting anomalous traffic patterns.

Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.7652/xjtuxb201308004

2013-01-01

Abstract:Measurement methods based on bi-directional flow model are proposed to investigate the symmetric characteristic of the non-business network traffics. The features of protocol, port distribution and flow size are extracted from host-level aggregated traffic to characterize users' interactive behavior and to find the origins of traffic symmetry. The analysis results using actual traffic traces collected from the campus network of Xi'an Jiaotong University show that 1% of the total hosts bear more than 90% of the forward UDP traffic, which results in the symmetry of total traffic. Compared with the traditional flow model, the proposed methods can quickly locate the hosts that are responsible for traffic symmetry, and are more suitable for traffic control and management in non-business networks.

Weisong He,Guangmin Hu,Yingjie Zhou

DOI: https://doi.org/10.1007/s11235-010-9384-1

2010-01-01

Telecommunication Systems

Abstract:In this paper, a substructure-based network behavior anomaly detection approach, called WFS (Weighted Frequent Subgraphs), is proposed to detect the anomalies of a large-scale IP networks. With application of WFS, an entire graph is examined, unusual substructures of which are reported. Due to additional information given by the graph, the anomalies are able to be detected more accurately. With multivariate time series motif association rules mining (MTSMARM), the patterns of abnormal traffic behavior are able to be obtained. In order to verify the above proposals, experiments are conducted and, together with application of backbone networks (Internet2) Netflow data, show some positive results.

Jian Zhang,Yan Tong,Tao Qin

DOI: https://doi.org/10.1145/3028842.3028867

2016-01-01

Abstract:With the increasing of the network bandwidth, users generate massive traffic data, how to extract the effective traffic features and achieve the goal of abnormal behavior detection is a hot and difficult problem in the area of network security monitoring. In this paper, several traffic features are proposed to capture the traffic characteristics, and then we employ the DBSCAN methods to realize abnormal traffic mining based on those features. We extract four traffic features to capture the traffic characteristics, including the ratio between number of source and destination IP addresses, ration between number of source port and destination port, ration between number of TCP packet and the total number of packets and that of number of small packets between the total number of package in a specific time window. Based on the feature extracted, we employ the DBSCAN method to cluster the network traffic in different clusters. Traffic packet in different clusters has different statistical characteristics, and the isolated points are employed to perform abnormal traffic detection. The implementation results based on traffic collect from our Lab show that proposed statistics features can capture traffic characteristics, and clustering method can classify the abnormal traffic packets into a special cluster.

Bin Zhang,YANG Jia-Hai,WU Jian-Ping

DOI: https://doi.org/10.3724/SP.J.1001.2011.03950

2011-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:The Internet traffic model is the key issue for network performance management, Quality of Service management, and admission control. The paper first summarizes the primary characteristics of Internet traffic, as well as the metrics of Internet traffic. It also illustrates the significance and classification of traffic modeling. Next, the paper chronologically categorizes the research activities of traffic modeling into three phases: 1) traditional Poisson modeling; 2) self-similar modeling; and 3) new research debates and new progress. Thorough reviews of the major research achievements of each phase are conducted. Finally, the paper identifies some open research issue and points out possible future research directions in traffic modeling area. © Copyright 2011, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

Weisong He,Guangmin Hu

DOI: https://doi.org/10.1109/icccas.2009.5250513

2009-01-01

Abstract:One difficult task when managing large-scale network traffic flows is that the network operators must deal with a very large number of flow records. In this paper, we introduce a new defined TCP flags information analysis method, proportion-based analysis, which is a better way to narrow the analyzable flow records. We compute the percentage of different type of TCP flags among total traffic flows and consider these as multivariate time series over a duration of time. Furthermore, we may obtain frequent pattern of different type of TCP flags using multivariate time series association rule mining method. Experimental results with backbone network (Internet2) data confirmed our method.

Yuqi Yu,Hanbing Yan,Hongchao Guan,Hao Zhou

DOI: https://doi.org/10.48550/arXiv.1810.12751

2018-10-30

Cryptography and Security

Abstract:In the Internet age, cyber-attacks occur frequently with complex types. Traffic generated by access activities can record website status and user request information, which brings a great opportunity for network attack detection. Among diverse network protocols, Hypertext Transfer Protocol (HTTP) is widely used in government, organizations and enterprises. In this work, we propose DeepHTTP, a semantics structure integration model utilizing Bidirectional Long Short-Term Memory (Bi-LSTM) with attention mechanism to model HTTP traffic as a natural language sequence. In addition to extracting traffic content information, we integrate structural information to enhance the generalization capabilities of the model. Moreover, the application of attention mechanism can assist in discovering critical parts of anomalous traffic and further mining attack patterns. Additionally, we demonstrate how to incrementally update the data set and retrain model so that it can be adapted to new anomalous traffic. Extensive experimental evaluations over large traffic data have illustrated that DeepHTTP has outstanding performance in traffic detection and pattern discovery.

Guodong Li,Tao Qin,Wei Li

DOI: https://doi.org/10.1109/iccsnt.2011.6182135

2011-01-01

Abstract:Analysis and measurement of traffic features are crucial for effective network management and traffic control. In this paper we proposed several traffic flow models to aggregate traffic packets in multi-scales and entropy to measure the feature distribution hierarchically, and then seek for the important features and appropriate scale for traffic monitoring. DFlow model is a group of packets with identical triples: source address, destination address and destination port, and HFlow the same source and destination addresses. By removing traffic features from the NetFlow model, the aggregation scales are extended. Source and Destination addresses are selected to investigate the traffic characters with different flow models. The experimental results using actual traffic show that the number of flows is reduced when the aggregation scale is extended, and the entropy of normal traffic addresses is stable along with the monitoring time. On the other hand, the entropy of destination address is increased when the aggregation scales extended. Investigations into the traffic show that this is caused by the widely used of HTTP and Point to Point protocols. Analysis of the worm scanning traffic shows that the abnormal behavior patterns are more regularly than normal behavior and traffic features have the same entropy with different flow models. The results also show that the appropriate scale for traffic monitoring is the Dflow model, which reduced the data records by more than 30% while retain the traffic characters.

Kuai Xu,Feng Wang,Lin Gu,Jianhua Gao,Yaohui Jin

DOI: https://doi.org/10.1007/s00779-013-0711-x

2012-01-01

Abstract:The rapid spread of residential broadband connections and Internet-capable consumer devices in home networks has changed the landscape of Internet traffic. To gain a deep understanding of Internet traffic for home networks, this paper develops a traffic monitoring platform that collects and analyzes home network traffic via programmable home routers and traffic profiling servers. Using traffic data captured from real home networks, we present traffic characteristics in home networks and then apply principal component analysis to uncover temporal correlations among application ports. In light of prevalent unwanted traffic on the Internet, we characterize the intensity, sources, and port diversity of unwanted traffic toward home networks. To the best of our knowledge, this paper is the first study to characterize network traffic of Internet-capable devices from inside home network.

Ahmad Jakalan,Jian Gong,Qi Su,Xiaoyan Hu,Abdeldime M. S. Abdelgder

DOI: https://doi.org/10.1016/j.comnet.2016.02.012

IF: 5.493

2016-01-01

Computer Networks

Abstract:The continuous growth of Internet and its applications caused more difficulties for analyzing Internet communications which are becoming more and more complex, this has caused new challenges for monitoring and managing the huge and vast network traffic. It is not efficient to monitor and analyze individual IP addresses, so it is more useful to monitor groups of IP addresses that have similar behavior, which represents a certain application activity. Nowadays, such a grouping is either based on network prefixes that does not meet the requirement mentioned above as difference of traffic behavior of individual IP address not being considered, or clustering IP hosts based on their traffic patterns, which requires information about TCP/UDP port numbers (which are occasionally obfuscated) or packet payloads (which are sometimes encrypted or unavailable from aggregated flow records). This paper proposes a new methodology of clustering IP addresses within a managed network domain such as campus network or ISP clients with similar social relationship based on inter-IP connectivity structure. The key idea of this methodology is to split the entire IP address space into Internal (inside the managed domain) and External (outside) ones. The clustering strategy is to group inside IP addresses that communicate with common outside IP addresses, the similarity measure of two inside IP addresses is the unique number of the common outside IP addresses. We propose a novel approach with an approximation algorithm to discover communities on a large scale in the managed domain based on the bipartite networks and one mode projection and the basis of graph partitioning of the similarity graph. Bipartite networks were built using NetFlow datasets collected from a boundary router in an actual environment, and then a one-mode projection has been applied to build a social relationship similarity graph of the inside IP addresses. We propose a community detection algorithm to extract communities. Experimental results demonstrate that our approach can discover communities from real large scale managed domain networks with a high quality. We experimentally validate our approach in terms of IP networking by applying deep flow inspection (DFI) and deep packet inspection (DPI) on related traffic to prove that hosts with the same cluster tend to have some dominant network behavior. We demonstrated the practical benefits of exploring social behavior similarity of IP hosts in understanding application usage, users' behavior, detecting malicious users, and users of prohibited applications.

Tao Qin,Xiaohong Guan,Yi Long,Wei Li

DOI: https://doi.org/10.1109/icis.2009.104

2009-01-01

Abstract:Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.

Zhenhui Li,Fan Zhou,Zhiyuan Wang,Xovee Xu,Leyuan Liu,Guangqiang Yin

DOI: https://doi.org/10.1038/s41598-024-55750-x

IF: 4.6

2024-03-02

Scientific Reports

Abstract:Understanding user behavior via IP addresses is a crucial measure towards numerous pragmatic IP-based applications, including online content delivery, fraud prevention, marketing intelligence, and others. While profiling IP addresses through methods like IP geolocation and anomaly detection has been thoroughly studied, the function of an IP address—e.g., whether it pertains to a private enterprise network or a home broadband—remains underexplored. In this work, we initiate the first attempt to address the IP usage scenario classification problem. We collect data consisting of IP addresses from four large-scale regions. A novel continuous neural tree-based ensemble model is proposed to learn IP assignment rules and complex feature interactions. We conduct extensive experiments to evaluate our model in terms of classification accuracy and generalizability. Our results demonstrate that the proposed model is capable of efficiently uncovering significant higher-order feature interactions that enhance IP usage scenario classification, while also possessing the ability to generalize from the source region to the target one.

multidisciplinary sciences

Tao Qin,Wei Li,Xiaohong Guan,Zhaoli Liu

DOI: https://doi.org/10.1109/glocom.2012.6503237

2012-01-01

Abstract:With the number of Internet users and applications continues to grow, it becomes increasingly important to understand the users' behavior character for efficient network management and security monitoring. Web is one of the most popular applications, which can help users to obtain anything they want. In this paper, we propose a new framework to measure and monitor users' web access behavior character. Firstly, web services are divided into 12 types according to the content they provide. As user like to access different web services at different time instants, we proposed the behavior spectrum to describe the users' access character in an easily understandable way. Secondly, we employ three traffic features (number of connections, number of packets and number of bytes) to measure the intensity of users' access behavior. Based on the spectrums and features obtained, two kinds of user's access characters are analyzed: the characters at a particular time instant and the dynamic changing characters at continuous time points. Finally, we employ the Renyi entropy to cluster the users into different groups based on the spectrum and find the results are useful for network management. To verify the method, several actual traffic traces are collected from the Northwest Regional Center of CERNET (China Education and Research Network) and the experimental results prove the efficiency of the proposed methods.

Yan Tong,Jian Zhang,Wei Chen,Mingdi Xu,Tao Qin

DOI: https://doi.org/10.1007/978-3-319-78139-6_30

2017-01-01

Abstract:Focus on the difficulty of large-scale network traffic monitoring and analysis, this paper proposed the concepts of Group Behavior Flow model to aggregate traffic packets and perform abnormal behavior detection. Based on the flow model the pivotal traffic metrics can be extracted while the number of flow records are reduced significantly. Secondly, we employ the graph model to capture the traffic feature distribution between different group users. And optical flow analysis methods are proposed to extract the dynamic behavior changing features between different groups and achieve the goal of abnormal behavior detection. The experimental results based on actual traffic traces show that the methods proposed in this paper can capture the traffic features effectually in the current 10 Gbps network environment, and achieve the goal of abnormal behavior detection and abnormal source location, which is very important for traffic management.

Ahmad Jakalan,Jian Gong,Shangdong Liu

DOI: https://doi.org/10.1109/iccsn.2015.7296136

2015-01-01

Abstract:Internet is growing very fast in size and applications which causes more complexity in its structure which demands more efforts for monitoring and management. For an efficient network security and management it's required to have a better understanding of its structure and traffic caused by different elements (IP hosts). There is a need to improve systems and methods that can provide this kind of knowledge and understanding. The objective of this research is to study the behavior of IP Network nodes (IP hosts) from the prospective of their communication behavior patterns to setup hosts' behavior profiles of the observed IP nodes by clustering hosts into groups of similar communication behaviors. There are many potential applications of this work; the results of this research will be useful to the network management and Network Security Situational Awareness (NSSA) in addition to its applications in studying the network user's behavior.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].