Communication patterns based detection of anomalous network traffic

Author

Le, Do Quoc ; Jeong, Taeyeol ; Roman, H. Eduardo ; Hong, James Won-Ki

Author_Institution

Div. of IT Convergence Eng., Pohang Univ. of Sci. & Technol. (POSTECH), Pohang, South Korea

fYear

2012

fDate

11-14 June 2012

Firstpage

185

Lastpage

185

Abstract

We propose a novel approach to detect anomalous network traffic by analyzing communication patterns in time series. The method is based on graph theory concepts such as degree distribution and maximum degree, and we introduce the new concept of dK-2 distance [1]. In our approach, we use traffic dispersion graphs (TDGs) to extract communication structure [2]. By analyzing differences of TDG graphs in time series we are able to detect anomalous events such as botnet command and control communications, which cannot be identified by using volume-based approaches or flows/packets counters. We evaluate our approach with the 1999 DARPA intrusion detection data set and the network trace from POSTECH on July 2009.

Keywords

computer network security; graph theory; telecommunication traffic; DDoS attacks; TDG graphs; anomalous network traffic detection; botnet command-and-control communications; communication patterns based detection; communication structure extraction; dK-2 distance; degree distribution concept; graph theory concepts; maximum degree concept; network security; time series; traffic dispersion graphs; Computer crime; Dispersion; Intrusion detection; Measurement; Protocols; Telecommunication traffic; Time series analysis; DDoS attacks; anomalous trafic detection; network security; traffic dispersion graph;

fLanguage

English

Publisher

ieee

Conference_Titel

Intelligence and Security Informatics (ISI), 2012 IEEE International Conference on

Conference_Location

Arlington, VA

Print_ISBN

978-1-4673-2105-1

Type

conf

DOI

10.1109/ISI.2012.6284297

Filename

6284297