A multi-variate classification approach for the detection of illicit traffic

Nowadays, all commercial and personal activities rely almost exclusively on digital information that is constantly accessed, exchanged and archived over the Internet. These facts attracted the interest of the hacker community, driven by the will to obtain profits by exploiting many existing vulnerabilities. Consequently, the number of reported attacks increased dramatically, together with the financial losses associated to them. Botnets have become the cornerstone of on-line criminal activities and can be considered the most serious threat to the Internet. Current detection and prevention methodologies are not able to assure a complete protection as the complexity and subtlety of security attacks and generated illicit traffic grow: these include the encapsulation of illicit traffic in legitimate communications or the replication of normal communications profiles in order to bypass the various network defense mechanisms. Consequently, novel identification and prevention approaches must be proposed and studied in order to address all these issues. In this paper, we present a novel detection methodology that, by building high-level traffic profiles and modeling their embedded multi-scaling dynamics, can accurately identify the components created by illicit applications. The analysis of captured traffic samples over sliding time-windows allows the identification of illicit traffic components that are hidden in legitimate communications. The proposed methodology is also able to cope with the most stringent confidentially restrictions that typically prevent the use of other detection tools.