Browse > Article

An Anomalous Host Detection Technique using Traffic Dispersion Graphs  

Kim, Jung-Hyun (한양대학교 전자컴퓨터통신공학과)
Won, You-Jip (한양대학교 전자컴퓨터통신공학과)
Ahn, Soo-Han (서울시립대학교 통계학과)
Publication Information
Journal of KIISE:Information Networking / v.36, no.2, 2009 , pp. 69-79 More about this Journal
Abstract
Today's Internet is one of the necessaries of our life. Anomalies of the Internet provoke social problems. For that reason, Internet Measurement which studies characteristics on Internet traffic attracts pubic attention. Recently, Traffic Dispersion Graph (TDG), a novel traffic analysis method, was proposed. The TDG is not a statistical analysis method but a graphical visualization method on interactions among network components. In this paper, we propose a new anomaly detection paradigm and its technique using TDG. The existing studies have focused on detecting anomalous packets of flows. On the other hand, we focus on detecting the sources of anomalous traffic. To realize our paradigm, we designed the TDG Clustering method. Through this method, we could classify anomalous hosts infected by various worm viruses. We obtained normal traffic through dropping traffic of the anomalous hosts. Especially, we expect that the TDG clustering method can be applied to real-time anomaly detection because calculations of the method are fast.
Keywords
Traffic Dispersion Graphs; Internet Measurement; Anomaly Detection; Worm Virus;
Citations & Related Records
연도 인용수 순위
  • Reference
1 M. Crovella and B. Krishnamurthy, "Internet Measurement: Infrastructure, Traffic, and Applications," John Wiley & Sons, Ltd, 2006
2 Marios Iliofotou, et aI., "Network Monitoring using Traffic Dispersion Graphs (TDGs)," In Proc. ACM Internet Measurement Conference, pp. 315-320, San Diego, California, USA, October 2007
3 D. Brauckhoff and B. Tellenbach and A. Wagner and M. May and A. Lakhina, "Impact of Packet Sampling on Anomaly Detection Metrics," In Proc. ACM Internet Measurement Conference, pp. 159-164, Rio de Janeriro Brazil, October 2006
4 TCPDUMP/LIBPCAP public repository, ''http://tcpdump.org"
5 J. Kim and S. Ahn and Y. Won, "Mining An Anomaly: On The Small Time Scale Behavior of The Traffic Anomaly," In Proc. of IADIS International Conference WWW/Internet, Murcia, Spain, pp. 552-559, October 2006
6 T. M. Cover and J. A. Thomas, "Elements of Information Theory," Wiley Interscience, 1991
7 D. Moore and V. Paxson and S. Savage and S. Staniford and N. Weaver, "Inside the Slammer worm," IEEE Security & Privacy, Vol. 1 issue 4, pp. 33-39, August 2003   DOI   ScienceOn
8 Juniper Traffic Sampling, " http://www.juniper.net/techpubs/software/junos/junos60/swconfig60-policy/htmVsampling-overview.html"
9 R. R. Panko, "Corporate Computer and Network Security," Prentice Hall, 2004
10 CERT Advisory W32/Blaster worm, ''http://www.cert.org/advisories/CA-2003-20.htmI," August 2003
11 MySQL: The world's most popular open source database, "http://www.mysql.com"
12 Nick Duffield, "Sampling for Passive Internet Measurement: A Review," Statistical Science Vol. 19, No.3, pp. 472-498, 2004   DOI   ScienceOn
13 A. Lakhina and M. Crovella and C. Diot, "Mining Anomalies using Traffic Feature Distributions," ACM SIGCOMM Computer Communication Review, Vol. 35, Issue 4, pp. 217-228, October 2005   DOI   ScienceOn
14 P. Tan and M. Steinbach and V. Kumar, "Introduction to Data Mining," Addison Wesley, 2006
15 D. Moore and G. M. Voelker and S. Savage, "Inferring Internet Denial-of-Service Activity," In Proc. of Usenix Security Symposium, pp. 9-22 Washington, DC, August 2001
16 J. Mirkovic and P. Reiher, "A Taxonomy of DDoS attack and DDoS defense Mechanisms," ACM SIGCOMM Computer Communication Review, Vol. 34, Issue 2, pp. 39-53, April 2004   DOI   ScienceOn
17 SAS - Business Intelligence Software and Predictive Analytics, "http://www.sas.com"
18 CERT Advisory MS-SQL Server Worm, ''http://www.cert.org/advisories/CA-2003-04.html," January 2003
19 Graphviz - Graph Visualization Software, "www.graphviz.org,"