Locality matters: Reducing Internet traffic graphs using location analysis

Author

Berger, A. ; Ruehrup, Stefan ; Gansterer, Wilfried N. ; Jung, Oliver

Author_Institution

FTW Telecommun. Res. Center Vienna, Vienna, Austria

fYear

2013

fDate

24-27 June 2013

Firstpage

1

Lastpage

12

Abstract

The representation of Internet traffic as connection graphs augments anomaly detection systems by providing insight on the structural connection properties, i.e., who-talks-to-whom. However, these graphs are extremely large and one has to decide in advance on which aspect to focus. In the context of malware detection, this is difficult as malware often mimics legitimate traffic. In this paper, we present a statistical approach for extracting the typical traffic destinations for a set of monitored hosts, and derive a reduced graph that contains only connections that are anomalous for that host. This graph can then be analyzed efficiently. Our system is designed to scale to thousands of monitored hosts. We evaluate our approach using a data set from a real network, and show that we can reliably detect injected malware activity.

Keywords

Internet; computer network security; graph theory; invasive software; statistical analysis; telecommunication traffic; Internet traffic graphs; Internet traffic representation; anomaly detection systems; connection graphs; injected malware activity detection; location analysis; malware detection; statistical approach; structural connection properties; traffic destinations; Databases; Monitoring; Network monitoring; graph analysis; malware detection; statistical anomaly detection; traffic modeling;

fLanguage

English

Publisher

ieee

Conference_Titel

Dependable Systems and Networks (DSN), 2013 43rd Annual IEEE/IFIP International Conference on

Conference_Location

Budapest

ISSN

1530-0889

Print_ISBN

978-1-4673-6471-3

Type

conf

DOI

10.1109/DSN.2013.6575365

Filename

6575365