Internet Traffic Behavior Profiling for Network Security Monitoring

IEEE/ACM Transactions on Networking

Volumn 16, Issue 6, 2008, Pages 1241-1252

  Xu, Kuai ^a   Zhang, Zhi Li ^b   Bhattacharyya, Supratik ^c  

^a YAHOO INC   (United States)

^b University of Minnesota   (United States)

^c SnapTell Inc   (United States)

Author keywords

Anomaly behavior; monitoring; traffic profiling

Indexed keywords

EID: 85008008496     PISSN: 10636692     EISSN: 15582566     Source Type: Journal    
DOI: 10.1109/TNET.2007.911438     Document Type: Article

References (32)

1. C. E. Shannon and W. Weaver, The Mathematical Theory of Communication. Chicago, NY: Univ. Illinois Press, 1949.
2. T. Cover and J. Thomas, Elements of Information Theory, ser. Wiley Series in Telecommunications. New York: Wiley, 1991.
3. K. Claffy, H.-W. Braun, and G. Polyzos, “A parameterizable methodology for internet traffic flow profiling,” IEEE J. Sel. Areas Commun., vol. 13, no. 8, pp. 1481–1494, Oct. 1995.
4. C. Estan, S. Savage, and G. Varghese, “Automatically inferring patterns of resource consumption in network traffic,” in Proc. ACM SIGCOMM, Sep. 2003, pp. 137–148.
5. K. Xu, Z.-L. Zhang, and S. Bhattacharyya, “Profiling internet backbone traffic: Behavior models and applications,” in Proc. ACM SIGCOMM, Aug. 2005, pp. 169–180.
6. K. Krippendorff, Information Theory: Structural Models for Qualitative Data. Thousand Oaks, CA: Sage, 1986.
7. R. Cavallo and G. Klir, “Reconstructability analysis of multi-dimensional relations: A theoretical basis for computer-aided determination of acceptable systems models,” Int. J. General Syst., vol. 5, pp. 143–171, 1979.
8. M. Zwick, “An overview of reconstructability analysis,” Int. J. Syst. Cybern., vol. 33, pp. 877–905, 2004.
9. M. Jordan, “Graphical models,” Statist. Sci., Special Issue Bayesian Statistics, vol. 19, pp. 140–155, 2004.
10. K. Xu, Z.-L. Zhang, and S. Bhattacharyya, “Profiling Internet back-bone traffic: Behavior models and applications,” Sprint ATL Res. Rep. RR05-ATL-020777, Feb. 2005.
11. K. Xu, Z.-L. Zhang, and S. Bhattacharyya, “Reducing unwanted traffic in a backbone network,” in Proc. Steps Reducing Unwanted Traffic Internet Workshop (SRUTI), Jul. 2005, pp. 9–15.
12. B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, “Sketch-based change detection: Methods, evaluation, and applications,” in Proc. ACM/USENIX IMC, 2003, pp. 234–247.
13. G. Cormode, F. Korn, S. Muthukrishnan, and D. Srivastava, “Finding hierarchical heavy hitters in data streams,” in Proc. VLDB, 2003, pp. 464–474.
14. S. Staniford, J. Hoagland, and J. McAlerney, “Practical automated detection of stealthy portscans,” J. Comput. Security, vol. 10, pp. 105–136, 2002.
15. J. Jung, V. Paxson, A. Berger, and H. Balakrishna, “Fast portscan detection using sequential hypothesis testing,” in Proc. IEEE Symp. Security Privacy, 2004, pp. 211–225.
16. Y. Zhang, S. Singh, S. Sen, N. Duffield, and C. Lund, “Online identification of hierarchical heavy hitters: Algorithms, evaluation, and applications,” in Proc. Internet Meas. Conf., 2004, pp. 101–114.
17. M. Mahoney, “Network traffic anomaly detection based on packet bytes,” in Proc. ACM Symp. Appl. Comput., Mar. 2003, pp. 346–350.
18. J. Jung, B. Krishnamurthy, and M. Rabinovich, “Flash crowds and denial of service attacks: Characterization and implications for CDNs and web sites,” in Proc. Int. WWW Conf, 2002, pp. 293–304.
19. N. Weaver, V. Paxon, S. Staniford, and R. Cunningham, “A taxonomy of computer worms,” in Proc. CCS Workshop Rapid Malcode (WORM), 2003, pp. 11–18.
20. V. Yegneswaran, P. Barford, and J. Ullrich, “Internet intrusions: Global characteristics and prevalence,” in Proc. ACM SIGMETRICS, 2003, pp. 138–147.
21. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, “Characteristics of internet background radiation,” in Proc. ACM SIG-COMM IMC, 2004, pp. 27–40.
22. A. Lakhina, M. Crovella, and C. Diot, “Diagnosing network-wide traffic anomalies,” in Proc. ACM SIGCOMM, 2004, pp. 219–230.
23. A. Lakhina, M. Crovella, and C. Diot, “Characterization of network-wide anomalies in traffic flows,” in Proc. IMC, 2004, pp. 201–206.
24. MINDS, Minnesota Intrusion Detection System. [Online]. Available: http://www.cs.umn.edu/research/minds/
25. A. Lazarevic, L. Ertoz, A. Ozgur, J. Srivastava, and V. Kumar, “A comparative study of anomaly detection schemes in network intrusion detection,” in Proc. SIAM Conf. Data Mining, 2003, pp. 25–36.
26. W. Lee and D. Xiang, “Information-theoretic measures for anomaly detection,” in Proc. IEEE Symp. Security Privacy, 2001, pp. 130–143.
27. F. Hao, M. Kodialam, and T. Lakshman, “Real-time detection of hidden traffic patterns,” in Proc. ICNP, Oct. 2004, pp. 340–349.
28. F. Hernandez-Campos, A. B. Nobel, F. D. Smith, and K. Jeffay, “Statistical clustering of internet communication patterns,” in Proc. Symp. Interface Computing Sci. Statistics, 2003, p. 134.
29. S. J. Stolfo, S. Hershkop, K. Wang, O. Nimeskern, and C. Hu, “Behavior profiling of email,” in Proc. NSF/NIJ Symp. Intell. Security Informatics, 2003, pp. 74–90.
30. T. Karagiannis, K. Papagiannaki, and M. Faloutsos, “BLINC: Multi-level traffic classification in the dark,” in Proc. ACM SIGCOMM, 2005, pp. 229–240.
31. A. Lakhina, M. Crovella, and C. Diot, “Mining anomalies using traffic feature distributions,” in Proc. ACM SIGCOMM, Aug. 2005, pp. 217–228.
32. K. Xu, F. Wang, S. Bhattacharyya, and Z.-L. Zhang, “A real-time network traffic profiling system,” in Proc. Int. Conf. Dependable Syste. Netw., June 2007, pp. 595–605.