Detecting anomalous traffic using communication graphs

Keisuke Ishibashi; Tsuyoshi Kondoh; Shigeaki Harada; Tatsuya Mori; Ryoichi Kawahara; Shoichiro Asano

Detecting anomalous traffic using communication graphs

Keisuke Ishibashi, Tsuyoshi Kondoh, Shigeaki Harada, Tatsuya Mori, Ryoichi Kawahara, Shoichiro Asano

研究成果: Paper › 査読

抄録

We present a method to detect anomalies in a time series of inter-host communication patterns. There are many existing methods for anomaly detection in a time series of traffic volume data, such as number of packets or bytes. However, there is no established method detecting anomalies in a time series of communication patterns that can be represented as graphs. Extracting communication structure enables us to identify low-intensity anomalous network events, e.g., botnet command and control communications, which cannot be detected with conventional volume-based anomaly detection schemes. In this paper, we first define the similarity of two graphs, and then we present a method to detect any anomalous graph that has little similarity with other graphs. This method was evaluated with actual traffic data, and anomalous graphs in which new clusters appeared were detected.

本文言語	English
ページ	192-197
ページ数	6
出版ステータス	Published - 2010
外部発表	はい
イベント	World Telecommunications Congress 2010, WTC 2010 - Wien, Austria 継続期間: 2010 9月 13 → 2010 9月 14

Conference

Conference	World Telecommunications Congress 2010, WTC 2010
国/地域	Austria
City	Wien
Period	10/9/13 → 10/9/14

ASJC Scopus subject areas

コンピュータネットワークおよび通信

他のファイルとリンク

引用スタイル

@conference{1ae734def93c4b27a8465c6758bb080f,

title = "Detecting anomalous traffic using communication graphs",

abstract = "We present a method to detect anomalies in a time series of inter-host communication patterns. There are many existing methods for anomaly detection in a time series of traffic volume data, such as number of packets or bytes. However, there is no established method detecting anomalies in a time series of communication patterns that can be represented as graphs. Extracting communication structure enables us to identify low-intensity anomalous network events, e.g., botnet command and control communications, which cannot be detected with conventional volume-based anomaly detection schemes. In this paper, we first define the similarity of two graphs, and then we present a method to detect any anomalous graph that has little similarity with other graphs. This method was evaluated with actual traffic data, and anomalous graphs in which new clusters appeared were detected.",

author = "Keisuke Ishibashi and Tsuyoshi Kondoh and Shigeaki Harada and Tatsuya Mori and Ryoichi Kawahara and Shoichiro Asano",

note = "Funding Information: This study was supported in part by the Ministry of Internal Affairs and Communications of Japan. Publisher Copyright: {\textcopyright} 2010 World Telecommunications Congress 2010, WTC 2010. All rights reserved.; World Telecommunications Congress 2010, WTC 2010 ; Conference date: 13-09-2010 Through 14-09-2010",

year = "2010",

language = "English",

pages = "192--197",

}

TY - CONF

T1 - Detecting anomalous traffic using communication graphs

AU - Ishibashi, Keisuke

AU - Kondoh, Tsuyoshi

AU - Harada, Shigeaki

AU - Mori, Tatsuya

AU - Kawahara, Ryoichi

AU - Asano, Shoichiro

N1 - Funding Information: This study was supported in part by the Ministry of Internal Affairs and Communications of Japan. Publisher Copyright: © 2010 World Telecommunications Congress 2010, WTC 2010. All rights reserved.

PY - 2010

Y1 - 2010

N2 - We present a method to detect anomalies in a time series of inter-host communication patterns. There are many existing methods for anomaly detection in a time series of traffic volume data, such as number of packets or bytes. However, there is no established method detecting anomalies in a time series of communication patterns that can be represented as graphs. Extracting communication structure enables us to identify low-intensity anomalous network events, e.g., botnet command and control communications, which cannot be detected with conventional volume-based anomaly detection schemes. In this paper, we first define the similarity of two graphs, and then we present a method to detect any anomalous graph that has little similarity with other graphs. This method was evaluated with actual traffic data, and anomalous graphs in which new clusters appeared were detected.

AB - We present a method to detect anomalies in a time series of inter-host communication patterns. There are many existing methods for anomaly detection in a time series of traffic volume data, such as number of packets or bytes. However, there is no established method detecting anomalies in a time series of communication patterns that can be represented as graphs. Extracting communication structure enables us to identify low-intensity anomalous network events, e.g., botnet command and control communications, which cannot be detected with conventional volume-based anomaly detection schemes. In this paper, we first define the similarity of two graphs, and then we present a method to detect any anomalous graph that has little similarity with other graphs. This method was evaluated with actual traffic data, and anomalous graphs in which new clusters appeared were detected.

UR - http://www.scopus.com/inward/record.url?scp=84870499414&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84870499414&partnerID=8YFLogxK

M3 - Paper

AN - SCOPUS:84870499414

SP - 192

EP - 197

T2 - World Telecommunications Congress 2010, WTC 2010

Y2 - 13 September 2010 through 14 September 2010

ER -

Detecting anomalous traffic using communication graphs

抄録

Conference

ASJC Scopus subject areas

他のファイルとリンク

フィンガープリント

引用スタイル