Qiang Li,Tao Qin,Xiaohong Guan,Qinghua Zheng

DOI: https://doi.org/10.7652/xjtuxb201308004

2013-01-01

Abstract:Measurement methods based on bi-directional flow model are proposed to investigate the symmetric characteristic of the non-business network traffics. The features of protocol, port distribution and flow size are extracted from host-level aggregated traffic to characterize users' interactive behavior and to find the origins of traffic symmetry. The analysis results using actual traffic traces collected from the campus network of Xi'an Jiaotong University show that 1% of the total hosts bear more than 90% of the forward UDP traffic, which results in the symmetry of total traffic. Compared with the traditional flow model, the proposed methods can quickly locate the hosts that are responsible for traffic symmetry, and are more suitable for traffic control and management in non-business networks.

Bin Zhang,YANG Jia-Hai,WU Jian-Ping

DOI: https://doi.org/10.3724/SP.J.1001.2011.03950

2011-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:The Internet traffic model is the key issue for network performance management, Quality of Service management, and admission control. The paper first summarizes the primary characteristics of Internet traffic, as well as the metrics of Internet traffic. It also illustrates the significance and classification of traffic modeling. Next, the paper chronologically categorizes the research activities of traffic modeling into three phases: 1) traditional Poisson modeling; 2) self-similar modeling; and 3) new research debates and new progress. Thorough reviews of the major research achievements of each phase are conducted. Finally, the paper identifies some open research issue and points out possible future research directions in traffic modeling area. © Copyright 2011, Institute of Software, the Chinese Academy of Sciences. All rights reserved.

Yuqi Yu,Hanbing Yan,Hongchao Guan,Hao Zhou

DOI: https://doi.org/10.48550/arXiv.1810.12751

2018-10-30

Cryptography and Security

Abstract:In the Internet age, cyber-attacks occur frequently with complex types. Traffic generated by access activities can record website status and user request information, which brings a great opportunity for network attack detection. Among diverse network protocols, Hypertext Transfer Protocol (HTTP) is widely used in government, organizations and enterprises. In this work, we propose DeepHTTP, a semantics structure integration model utilizing Bidirectional Long Short-Term Memory (Bi-LSTM) with attention mechanism to model HTTP traffic as a natural language sequence. In addition to extracting traffic content information, we integrate structural information to enhance the generalization capabilities of the model. Moreover, the application of attention mechanism can assist in discovering critical parts of anomalous traffic and further mining attack patterns. Additionally, we demonstrate how to incrementally update the data set and retrain model so that it can be adapted to new anomalous traffic. Extensive experimental evaluations over large traffic data have illustrated that DeepHTTP has outstanding performance in traffic detection and pattern discovery.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Tao Qin,Xiaohong Guan,Yi Long,Wei Li

DOI: https://doi.org/10.1109/icis.2009.104

2009-01-01

Abstract:Users' character analysis and control are important for enterprise network management and security. In this paper, we propose a novel method to classify the users' behaviors into different security levels and control their behaviors with corresponding strategies. Firstly, Dflow model and several traffic features, including the number of packets, number of flows, flow durations, etc., are proposed to capture the users' characters. They are obtained from different layers of the OSI communication model, such as the network layer and transport layer. Secondly, we define scores for users' behaviors according to their traffic patterns using a flexible method with adjustable weight factors, and different monitoring aims can be achieved by adjusting the weight factors. Based on the behavior score, the users' behaviors are classified into three security levels: low-dangerous, mid-dangerous and high-dangerous levels. Finally, the mid (high)-dangerous users' behaviors are controlled by a dynamic quarantine method based on the principle of "assume guilty before proven innocent". We quarantine a user whenever its behavior is classified into the mid (high)-dangerous levels by blocking its traffic. Then the quarantine is released after a short time, even if the users have not been inspected by security managers yet. In this way, we can remove the potential threats from the monitoring network without interfering the users' normal activities severely. The experimental results based on actual traffic data show that the methods proposed in this paper are simple, flexible and of high accuracy, which can be used for real-time enterprise network monitoring and management.

Zhenhui Li,Fan Zhou,Zhiyuan Wang,Xovee Xu,Leyuan Liu,Guangqiang Yin

DOI: https://doi.org/10.1038/s41598-024-55750-x

IF: 4.6

2024-03-02

Scientific Reports

Abstract:Understanding user behavior via IP addresses is a crucial measure towards numerous pragmatic IP-based applications, including online content delivery, fraud prevention, marketing intelligence, and others. While profiling IP addresses through methods like IP geolocation and anomaly detection has been thoroughly studied, the function of an IP address—e.g., whether it pertains to a private enterprise network or a home broadband—remains underexplored. In this work, we initiate the first attempt to address the IP usage scenario classification problem. We collect data consisting of IP addresses from four large-scale regions. A novel continuous neural tree-based ensemble model is proposed to learn IP assignment rules and complex feature interactions. We conduct extensive experiments to evaluate our model in terms of classification accuracy and generalizability. Our results demonstrate that the proposed model is capable of efficiently uncovering significant higher-order feature interactions that enhance IP usage scenario classification, while also possessing the ability to generalize from the source region to the target one.

multidisciplinary sciences

Tao Qin,Wei Li,Xiaohong Guan,Zhaoli Liu

DOI: https://doi.org/10.1109/glocom.2012.6503237

2012-01-01

Abstract:With the number of Internet users and applications continues to grow, it becomes increasingly important to understand the users' behavior character for efficient network management and security monitoring. Web is one of the most popular applications, which can help users to obtain anything they want. In this paper, we propose a new framework to measure and monitor users' web access behavior character. Firstly, web services are divided into 12 types according to the content they provide. As user like to access different web services at different time instants, we proposed the behavior spectrum to describe the users' access character in an easily understandable way. Secondly, we employ three traffic features (number of connections, number of packets and number of bytes) to measure the intensity of users' access behavior. Based on the spectrums and features obtained, two kinds of user's access characters are analyzed: the characters at a particular time instant and the dynamic changing characters at continuous time points. Finally, we employ the Renyi entropy to cluster the users into different groups based on the spectrum and find the results are useful for network management. To verify the method, several actual traffic traces are collected from the Northwest Regional Center of CERNET (China Education and Research Network) and the experimental results prove the efficiency of the proposed methods.

Yan Tong,Jian Zhang,Wei Chen,Mingdi Xu,Tao Qin

DOI: https://doi.org/10.1007/978-3-319-78139-6_30

2017-01-01

Abstract:Focus on the difficulty of large-scale network traffic monitoring and analysis, this paper proposed the concepts of Group Behavior Flow model to aggregate traffic packets and perform abnormal behavior detection. Based on the flow model the pivotal traffic metrics can be extracted while the number of flow records are reduced significantly. Secondly, we employ the graph model to capture the traffic feature distribution between different group users. And optical flow analysis methods are proposed to extract the dynamic behavior changing features between different groups and achieve the goal of abnormal behavior detection. The experimental results based on actual traffic traces show that the methods proposed in this paper can capture the traffic features effectually in the current 10 Gbps network environment, and achieve the goal of abnormal behavior detection and abnormal source location, which is very important for traffic management.

Dawei Wang,Luoshi Zhang,Zhenlon Yuan,Yibo Xue,Yinfei Dong

DOI: https://doi.org/10.1109/iccnc.2014.6785298

2014-01-01

Abstract:Network traffic classification is critical to both network management and system security. However, existing traffic classification techniques become less effective as more P2P applications use proprietary protocols for delivery and encryption. Especially, current techniques usually focus on individual flows and do not consider all flows associated with an application together. To address this issue, this paper proposes a novel Application Behavior Characterization (ABC) technique. We design a novel application behavior feature extracting method and an effective classification algorithm, which explore the correlation of multiple flows of a specific application. We evaluate the proposed method with real network traffic. The experimental results show that it can correctly identify flows belonging to a set of known P2P applications (such as Skype, Thunder, and PPTV) with a probability over 90%. Moreover, it can further identify the particular application that a flow belongs to with a precision of 90% on average. More information about implementing and deploying ABC can be found in a technical report [10].

Pinghui Wang,Peng Jia,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/infocom.2018.8485858

2018-01-01

Abstract:Mining user behaviors over high speed links is important for applications such as network anomaly detection. Previous work focuses on monitoring anomalies such as extremely frequent users occurring in a short timeslot such as 1 minute. Little attention has been paid to detect users with stealthy behaviors such as persistent frequent and co-occurrence behaviors over a long period of time at the timeslot granularity (e.g., 1 minute granularity level). Unlike frequent users, persistent users do not necessarily occur more frequently than other users in a single timeslot, but persist and occur in a larger number of timeslots. Due to limited computation and storage resources on routers, it is prohibitive to collect massive network traffic in a long period of time. We develop an end-to-end method for solving challenges in both long-term online traffic collection and offline user behavior analysis. To achieve this goal, we design a user embedding (UE) method to fast build compact sketches of user-occurrence events over time. To reduce the estimation error introduced by Bloom Filter, we model UE as a sampling method and propose methods to accurately mine a variety of user behaviors from user-occurrence events rebuilt from UE sketches. In addition, we introduce another new embedding method reversible UE (RUE) to detect persistent frequent behaviors when monitored users' IDs are not given in advance for offline analysis. We conduct extensive experiments on real-world traffic, and the results demonstrate that our methods significantly outperform state-of-the-art methods.

Tao Qin,Xiaohong Guan,Chenxu Wang,Zhaoli Liu

DOI: https://doi.org/10.1109/jsyst.2014.2350019

IF: 4.802

2015-01-01

IEEE Systems Journal

Abstract:Mastering user's behavior character is important for efficient network management and security monitoring. In this paper, we develop a novel framework named as multilevel user cluster mining (MUCM) to measure user's behavior similarity under different network prefix levels. Focusing on aggregated traffic behavior under different network prefixes cannot only reduce the number of traffic flows but also reveal detailed patterns for a group of users sharing similar behaviors. First, we employ the bidirectional flow and bipartite graphs to model network traffic characteristics in large-scale networks. Four traffic features are then extracted to characterize the user's behavior profiles. Second, an efficient method with adjustable weight factors is employed to calculate the user's behavior similarity, and entropy gain is applied to select the weight factor adaptively. Using the behavior similarity metrics, a simple clustering algorithm based on k-means is employed to perform user clustering based on behavior profiles. Finally, we examine the applications of behavior clustering in profiling network traffic patterns and detecting anomalous behaviors. The efficiency of our methods is verified with extensive experiments using actual traffic traces collected from the northwest region center of China Education and Research Network (CERNET), and the cluster results can be used for flow control and traffic security monitoring.

QIAN Jun,XU Chao,SHI Meilin

DOI: https://doi.org/10.3321/j.issn:1000-0054.2006.10.036

2006-01-01

Abstract:Deviations in simulated HTTP traffic for intrusion detection evaluation are reduced by a scalable Web simulation method based on user personalization which improves Web traffic simulation.The method uses user-level Web mining and automatic user-profiling.After user personalization,each user's patterns are profiled and stored in the knowledge base for simulation.Virtual user profile is introduced for Web traffic simulations of various networks.Tests illustrate the high fidelity and scalability of the simulated Web traffic,which makes the dataset more real and suitable for IDS evaluations.The tests also show that the dataset greatly reduces false positives.

Xiaohong Guan,Tao Qin,Wei Li,Pinghui Wang

DOI: https://doi.org/10.1109/TIFS.2010.2066970

IF: 7.231

2010-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Measuring and monitoring the changes of network traffic patterns in large-scale networks are crucial for effective network management. In this paper, we present a framework and method for detecting and measuring the dynamic changes of the pivotal traffic patterns. A bidirectional regional flow model is established to aggregate traffic packets and extract the traffic metrics and profiles. The characteristics of the regional flows are analyzed and interesting findings are obtained. A directed graph model is applied to describe the flow metrics and six flow features are extracted to capture the dynamic changes of the flow patterns. The measurements based on Renyi entropy are developed to quantitatively monitor these changes. The experimental results based on the actual network traffic data traces show that the method presented in this paper can capture the dynamic changes of pivotal traffic patterns effectively.

Liu Jun,Li Tingting,Cheng Gang,Yu Hua,Lei Zhenming

DOI: https://doi.org/10.1109/cc.2013.6723876

2013-12-01

China Communications

Abstract:Understanding the dynamic traffic and usage characteristics of data services in cellular networks is important for optimising network resources and improving user experience. Recent studies have illustrated traffic characteristics from specific perspectives, such as user behaviour, device type, and applications. In this paper, we present the results of our study from a different perspective, namely service providers, to reveal the traffic characteristics of cellular data networks. Our study is based on traffic data collected over a five-day period from a leading mobile operator's core network in China. We propose a Zipf-like model to characterise the distributions of the traffic volume, subscribers, and requests among service providers. Nine distinct diurnal traffic patterns of service providers are identified by formulating and solving a time series clustering problem. Our work differs from previous related works in that we perform measurements on a large quantity of data covering 2.2 billion traffic records, and we first explore the traffic patterns of thousands of service providers. Results of our study present mobile Internet participants with a better understanding of the traffic and usage characteristics of service providers, which play a critical role in the mobile Internet era.

telecommunications

Xiaozhu Lin,Lin Quan,Haiyan Wu

DOI: https://doi.org/10.1109/GLOCOM.2008.ECP.290

2008-01-01

Abstract:The characterization of HTTP traffic is crucial for performance evaluation and server design. In this paper, we analyze massive Web traces generated by various busy servers in recent years, trying to find the new features of modern HTTP traffic and user behaviors. Comparing the conclusions of earlier studies with our results, we have spotted considerable unconventional ingredients in modern HTTP traffic that could hardly be described by previous models. We also propose an innovative scheme to automatically categorize these various ingredients in modern traffic. The novel aspects of our work are: (1)It reveals the sophisticated composition of modern HTTP traffic with solid evidence, (2)It provides an automatic method to analyze the composition of modern HTTP traffic and (3)It promises a powerful manner to evaluate the possible performance implication of modern HTTP traffic on existing Web servers. We hope this work would help researchers and designers to better understand new features of HTTP workloads and therefore make corresponding adaptations in design practice.

Pinghui Wang,Peng Jia,Jing Tao,Xiaohong Guan

DOI: https://doi.org/10.1109/tkde.2018.2873319

IF: 9.235

2019-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Monitoring user behaviors over high speed links is important for applications such as network anomaly detection. Previous work focuses on monitoring anomalies such as extremely frequent users occurring in a short timeslot such as 1 minute. Little attention has been paid to detect users with stealthy behaviors (e.g., persistent, co-occurrence, anti-co-occurrence, and periodic behaviors) over a long period of time at the timeslot granularity. Due to limited computation and storage resources on routers, it is prohibitive to collect massive network traffic in a long period of time. We develop an end-to-end method for solving challenges in both long-term online traffic collection and offline user behavior analysis. We conduct extensive experiments on a variety of real-world traffic to evaluate the performance of detecting persistent, co-occurrence, anti-co-occurrence, and periodic behaviors, and the results demonstrate that our method significantly outperforms state-of-the-art methods.

Weitao Weng,Kai Lei,Kuai Xu,Xiaoyou Liu,Tao Sun

DOI: https://doi.org/10.1007/978-3-319-39937-9_29

2016-01-01

Abstract:Campus networks consist of a rich diversity of end hosts including wired desktops, servers, and wireless BYOD devices such as laptops and smartphones, which are often compromised in insecure networks. Making sense of traffic behaviors of end hosts in campus networks is a daunting task due to the open nature of the network, heterogeneous devices, high mobility of end users, and a wide range of applications. To address these challenges, this paper applies a combination of graphical approaches and spectral clustering to group the Internet traffic of campus networks into distinctive traffic clusters in a divide-and-conquer manner. Specifically, we first model the data communication between a particular subnet of campus networks and the Internet on a specific application port via bipartite graphs, and subsequently use the one-mode projection to capture behavior similarity of end hosts in the same subnet for the same network applications. Finally we apply a spectral clustering algorithm to explore the behavior similarity to identify distinctive application clusters within each subnet. Our experimental results have demonstrated the benefits of our proposed method for analyzing Internet traffic of a large university town to discover anomalous behaviors and to uncover distinctive temporal and spatial traffic patterns.

Meng Qin,Kai Lei,Bo Bai,Gong Zhang

DOI: https://doi.org/10.1145/3341216.3342213

2019-01-01

Abstract:In this paper, we study the network traffic classification task. Different from existing supervised methods that rely heavily on the labeled statistic features in a long period (e.g., several hours or days), we adopt a novel view of unsupervised profiling to explore the flow features and link patterns in a short time window (e.g., several seconds), dealing with the zero-day traffic problem. Concretely, we formulate the traffic identification task as a graph co-clustering problem with topology and edge attributes, and proposed a novel Hybrid Flow Clustering (HFC) model. The model can potentially achieve high classification performance, since it comprehensively leverages the available information of both features and linkage. Moreover, the two information sources integrated in HFC can also be utilized to generate the profiling for each flow category, helping to reveal the deep knowledge and semantics of network traffic. The effectiveness of the model is verified in the extensive experiments on several real datasets of various scenarios, where HFC achieves impressive results and presents powerful application ability.

Peifa Sun,Mengda Lyu,Hui Li,Bo Yang,Lizhi Peng

DOI: https://doi.org/10.1016/j.comcom.2022.06.044

IF: 5.047

2022-09-01

Computer Communications

Abstract:Cryptocurrency is becoming more and more popular due to its superiority to traditional currencies, resulting in the boom of mining. Mining cryptocurrencies requires tremendous computing resources, and extensive high-performance computers are used for mining nowadays. A significant consequent problem is the huge amount of energy consuming for mining. Thus, managing mining behaviors become an urgent issue. There are two main ways to detecting mining behavior. One is to deploy a detecting program on the target host, and use features of system calls to detect the mining behaviors. The other is to deploy detection models on network, and identify mining behaviors via network traffic. Comparing with the former method, detecting mining behavior by traffic is “non-contact”, and can monitor a whole network instead of a single host. We propose in this paper a convolutional function based method to extract the features from the first few packets of flows to identify mining traffic. We first extract the size of each packet of a flow, and then design a convolution function with a sliding window to extract meaningful features from the packet size sequence. This method maps the flows to a feature space in which the mining flows can be distinguished from the normal flows easily. We collect a set of mining traffic traces including 8 types of cryptocurrency mining behaviors in a real network, and launch a set of empirical studies using this data set. We also develop an online mining traffic identification platform to validate the performance of our proposal. Both the offline experimental results and the online validation results suggests that our proposal can achieve high performance satisfying the real mining traffic detecting requirements.

computer science, information systems,telecommunications,engineering, electrical & electronic

Yahui Yang,Chunfang Huang,Zhijing Qin

DOI: https://doi.org/10.1109/nswctc.2009.237

2009-01-01

Abstract:Setting up a large number of network connections and using up a lot of bandwidth are usually regarded as a network misuse behavior. It is significance for the network supervision to find and recognize these behaviors timely and correctly. This paper proposes a network misuse detection mechanism based on traffic log, combining the payload independent traffic classification technology. Through this mechanism, we can complete the selection of behavior features, and overcome the problems for both sample insufficiency and adaptability by using collaborative learning method. The experiment result shows that the method can separate 99% of the normal types from the misuse types, and the recognition rate of various misuse types can reach 80% or so, even be above 90% for some misuse types, which meets the application demand.