A flow analysis for mining traffic anomalies

Yoshiki Kanda, Kensuke Fukuda, Toshiharu Sugawara

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    11 Citations (Scopus)

    Abstract

    Although analyzing anomalous network traffic behavior is a popular research topic, few studies have been undertaken on the analysis of communication pattern per host based on their flows to characterize the anomalous Internet traffic. This paper discusses the possibility of using a flow-based communication pattern per host as a metric to identify anomalies. The key idea underlining our method is that scanning worm-infected hosts reveal the intrinsic characteristics of host's communication pattern and such patterns are distinguishable from those of other hosts. In particular, we found that scanning of worm-infected hosts that generated a lot of flows revealed the intrinsic communication pattern and the pattern could be classified from those of other hosts by k-means clustering.We also found that our flow-based metric could isolate the anomalies that have little influence upon the volumetric information of traffic and flow as "lines", which is remarkable in that the hosts that caused the hidden anomalies were mined out.

    Original languageEnglish
    Title of host publicationIEEE International Conference on Communications
    DOIs
    Publication statusPublished - 2010
    Event2010 IEEE International Conference on Communications, ICC 2010 - Cape Town
    Duration: 2010 May 232010 May 27

    Other

    Other2010 IEEE International Conference on Communications, ICC 2010
    CityCape Town
    Period10/5/2310/5/27

    Fingerprint

    Communication
    Scanning
    Internet

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Computer Networks and Communications

    Cite this

    Kanda, Y., Fukuda, K., & Sugawara, T. (2010). A flow analysis for mining traffic anomalies. In IEEE International Conference on Communications [5502463] https://doi.org/10.1109/ICC.2010.5502463

    A flow analysis for mining traffic anomalies. / Kanda, Yoshiki; Fukuda, Kensuke; Sugawara, Toshiharu.

    IEEE International Conference on Communications. 2010. 5502463.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Kanda, Y, Fukuda, K & Sugawara, T 2010, A flow analysis for mining traffic anomalies. in IEEE International Conference on Communications., 5502463, 2010 IEEE International Conference on Communications, ICC 2010, Cape Town, 10/5/23. https://doi.org/10.1109/ICC.2010.5502463
    Kanda Y, Fukuda K, Sugawara T. A flow analysis for mining traffic anomalies. In IEEE International Conference on Communications. 2010. 5502463 https://doi.org/10.1109/ICC.2010.5502463
    Kanda, Yoshiki ; Fukuda, Kensuke ; Sugawara, Toshiharu. / A flow analysis for mining traffic anomalies. IEEE International Conference on Communications. 2010.
    @inproceedings{eb738a987fab46e5bb776ba45f6915a6,
    title = "A flow analysis for mining traffic anomalies",
    abstract = "Although analyzing anomalous network traffic behavior is a popular research topic, few studies have been undertaken on the analysis of communication pattern per host based on their flows to characterize the anomalous Internet traffic. This paper discusses the possibility of using a flow-based communication pattern per host as a metric to identify anomalies. The key idea underlining our method is that scanning worm-infected hosts reveal the intrinsic characteristics of host's communication pattern and such patterns are distinguishable from those of other hosts. In particular, we found that scanning of worm-infected hosts that generated a lot of flows revealed the intrinsic communication pattern and the pattern could be classified from those of other hosts by k-means clustering.We also found that our flow-based metric could isolate the anomalies that have little influence upon the volumetric information of traffic and flow as {"}lines{"}, which is remarkable in that the hosts that caused the hidden anomalies were mined out.",
    author = "Yoshiki Kanda and Kensuke Fukuda and Toshiharu Sugawara",
    year = "2010",
    doi = "10.1109/ICC.2010.5502463",
    language = "English",
    isbn = "9781424464043",
    booktitle = "IEEE International Conference on Communications",

    }

    TY - GEN

    T1 - A flow analysis for mining traffic anomalies

    AU - Kanda, Yoshiki

    AU - Fukuda, Kensuke

    AU - Sugawara, Toshiharu

    PY - 2010

    Y1 - 2010

    N2 - Although analyzing anomalous network traffic behavior is a popular research topic, few studies have been undertaken on the analysis of communication pattern per host based on their flows to characterize the anomalous Internet traffic. This paper discusses the possibility of using a flow-based communication pattern per host as a metric to identify anomalies. The key idea underlining our method is that scanning worm-infected hosts reveal the intrinsic characteristics of host's communication pattern and such patterns are distinguishable from those of other hosts. In particular, we found that scanning of worm-infected hosts that generated a lot of flows revealed the intrinsic communication pattern and the pattern could be classified from those of other hosts by k-means clustering.We also found that our flow-based metric could isolate the anomalies that have little influence upon the volumetric information of traffic and flow as "lines", which is remarkable in that the hosts that caused the hidden anomalies were mined out.

    AB - Although analyzing anomalous network traffic behavior is a popular research topic, few studies have been undertaken on the analysis of communication pattern per host based on their flows to characterize the anomalous Internet traffic. This paper discusses the possibility of using a flow-based communication pattern per host as a metric to identify anomalies. The key idea underlining our method is that scanning worm-infected hosts reveal the intrinsic characteristics of host's communication pattern and such patterns are distinguishable from those of other hosts. In particular, we found that scanning of worm-infected hosts that generated a lot of flows revealed the intrinsic communication pattern and the pattern could be classified from those of other hosts by k-means clustering.We also found that our flow-based metric could isolate the anomalies that have little influence upon the volumetric information of traffic and flow as "lines", which is remarkable in that the hosts that caused the hidden anomalies were mined out.

    UR - http://www.scopus.com/inward/record.url?scp=77955412204&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=77955412204&partnerID=8YFLogxK

    U2 - 10.1109/ICC.2010.5502463

    DO - 10.1109/ICC.2010.5502463

    M3 - Conference contribution

    AN - SCOPUS:77955412204

    SN - 9781424464043

    BT - IEEE International Conference on Communications

    ER -