Article

Free access

Detecting malicious network traffic using inverse distributions of packet contents

Authors:

Vijay Karamcheti,

S. MuthukrishnanAuthors Info & Claims

MineNet '05: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data

Pages 165 - 170

https://doi.org/10.1145/1080173.1080176

Published: 22 August 2005 Publication History

Abstract

We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.

References

[1]

A. Z. Broder, S. C. Glassman, M. S. Manasse, and G. Zweig. Syntactic clustering of the web. In Proc. WWW Conf., 1997.

Digital Library

[2]

G. Cormode, F. Korn, S. Muthukrishnan, and D. Srivastava. Diamonds in the rough: Finding hierarchical heavy hitters in multidimensional data. In Proc. SIGMOD, 2004.

Digital Library

[3]

M. Datar and S. Muthukrishnan. Computing rarity and similarity over data streams. In Proceedings ESA, 2002.

Digital Library

[4]

R. Duda, P. Hart, and D. Stork. Pattern Classification. Wiley Interscience, 2nd Edition, 2000.

Digital Library

[5]

C. Estan and G. Varghese. New directions in traffic measurement and accounting. In Proc. ACM SIGCOMM Internet Measurement Workshop, 2001.

Digital Library

[6]

M. A. T. Figueiredo and A. K. Jain. Unsupervised learning of finite mixture models. IEEE Trans. Pattern Analysis and Machine Intelligence, 24(3):381--396, 2002.

Digital Library

[7]

J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast portscan detection using sequential hypothesis testing. In Proc. IEEE Security and Privacy, 2004.

[8]

J. O. Kephart and W. C. Arnold. Automatic extraction of computer virus signatures. In Proc. 4th Intl. Virus Bulletin Conf., 2001.

[9]

H. A. Kim and B. Karp. Autograph: Toward automatic distributed worm signature detection. In Proc. USENIX Security Symp., 2004.

Digital Library

[10]

K. Levchenko, R. Paturi, and G. Varghese. On the difficulty of scalably detecting network attacks. In Proc. ACM Symp. on Computer and Communication Security, 2004.

Digital Library

[11]

G. Manku and R. Motwani. Approximate frequency counts over data streams. In Proc. VLDB, 2002.

Digital Library

[12]

S. Muthukrishnan. Data stream algorithms and applications. Url: http://www.cs.rutgers.edu/~muthu/stream-1-1.ps.

[13]

J. Newsome, B. Karp, and D. Song. Polygraph: Automatically generating signatures for polymorphic worms. In Proc. IEEE Security and Privacy, 2005.

Digital Library

[14]

S. Sen, O. Spatscheck, and D. Wang. Accurate, scalable in-network identification of P2P traffic using application signatures. In Proc. WWW Conf., 2004.

Digital Library

[15]

S. Singh, C. Estan, G. Varghese, and S. Savage. Automated worm fingerprinting. In Proc. OSDI, 2004.

Digital Library

Cited By

Busnel YTillé Y(2020)Attack-tolerant Unequal Probability Sampling Methods over Sliding Window for Distributed StreamsProceedings of the 2020 the 4th International Conference on Compute and Data Analysis10.1145/3388142.3388162(72-78)Online publication date: 9-Mar-2020
https://dl.acm.org/doi/10.1145/3388142.3388162
Busnel YCaillouet CCoudert D(2019)Self-organized UAV-based Supervision and Connectivity: Challenges and Opportunities2019 IEEE 18th International Symposium on Network Computing and Applications (NCA)10.1109/NCA.2019.8935060(1-5)Online publication date: Sep-2019
https://doi.org/10.1109/NCA.2019.8935060
Antunes NPipiras VVeitch D(2017)Skampling for the Flow Duration Distribution2017 29th International Teletraffic Congress (ITC 29)10.23919/ITC.2017.8064340(63-71)Online publication date: Sep-2017
https://doi.org/10.23919/ITC.2017.8064340
Show More Cited By

Index Terms

Detecting malicious network traffic using inverse distributions of packet contents
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Detecting botnet by anomalous traffic

Botnets can cause significant security threat and huge loss to organizations, and are difficult to discover their existence. Therefore they have become one of the most severe threats on the Internet. The core component of botnets is their command and ...
Simulating realistic network worm traffic for worm warning system design and testing
WORM '03: Proceedings of the 2003 ACM workshop on Rapid malcode

Reproducing the effects of large-scale worm attacks in a laboratory setup in a realistic and reproducible manner is an important issue for the development of worm detection and defense systems. In this paper, we describe a worm simulation model we are ...
An Advanced Hybrid Peer-to-Peer Botnet

A “botnet” consists of a network of compromised computers controlled by an attacker (“botmaster”). Recently, botnets have become the root cause of many Internet attacks. To be well prepared for future attacks, it is not enough to study how to detect and ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

MineNet '05: Proceedings of the 2005 ACM SIGCOMM workshop on Mining network data

August 2005

296 pages

ISBN:1595930264

DOI:10.1145/1080173

Conference Chairs:
Subhabrata Sen
AT&T Labs-Research
,
Chuanyi Ji
Georgia Tech
,
Debanjan Saha
IBM Research
,
Joe McCloskey
Dept. of Defense

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 August 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGCOMM05

Sponsor:

SIGCOMM05: ACM SIGCOMM 2005 Conference

August 26, 2005

Pennsylvania, Philadelphia, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

26
Total Citations
View Citations
802
Total Downloads

Downloads (Last 12 months)70
Downloads (Last 6 weeks)11

Reflects downloads up to 06 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Busnel YTillé Y(2020)Attack-tolerant Unequal Probability Sampling Methods over Sliding Window for Distributed StreamsProceedings of the 2020 the 4th International Conference on Compute and Data Analysis10.1145/3388142.3388162(72-78)Online publication date: 9-Mar-2020
https://dl.acm.org/doi/10.1145/3388142.3388162
Busnel YCaillouet CCoudert D(2019)Self-organized UAV-based Supervision and Connectivity: Challenges and Opportunities2019 IEEE 18th International Symposium on Network Computing and Applications (NCA)10.1109/NCA.2019.8935060(1-5)Online publication date: Sep-2019
https://doi.org/10.1109/NCA.2019.8935060
Antunes NPipiras VVeitch D(2017)Skampling for the Flow Duration Distribution2017 29th International Teletraffic Congress (ITC 29)10.23919/ITC.2017.8064340(63-71)Online publication date: Sep-2017
https://doi.org/10.23919/ITC.2017.8064340
Barkay NPorat EShalem B(2015)Efficient sampling of non-strict turnstile data streamsTheoretical Computer Science10.1016/j.tcs.2015.01.026590:C(106-117)Online publication date: 26-Jul-2015
https://dl.acm.org/doi/10.1016/j.tcs.2015.01.026
Anceaume EBusnel Y(2014)A Distributed Information Divergence Estimation over Data StreamsIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2013.10125:2(478-487)Online publication date: 1-Feb-2014
https://dl.acm.org/doi/10.1109/TPDS.2013.101
Marnerides ASchaeffer-Filho AMauthe A(2014)Traffic anomaly diagnosis in Internet backbone networksComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2014.08.00773:C(224-243)Online publication date: 14-Nov-2014
https://dl.acm.org/doi/10.1016/j.comnet.2014.08.007
Zhou XLiu WLi ZGao W(2014)A Continuous Virtual Vector-Based Algorithm for Measuring Cardinality DistributionAlgorithms and Architectures for Parallel Processing10.1007/978-3-319-11194-0_4(43-53)Online publication date: 2014
https://doi.org/10.1007/978-3-319-11194-0_4
Busnel YCruz NGillet DHolzer AMiranda H(2013)Reinventing Mobile Community Computing and CommunicationProceedings of the 2013 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications10.1109/TrustCom.2013.175(1450-1457)Online publication date: 16-Jul-2013
https://dl.acm.org/doi/10.1109/TrustCom.2013.175
Barkay NPorat EShalem B(2013)Efficient sampling of non-strict turnstile data streamsProceedings of the 19th international conference on Fundamentals of Computation Theory10.1007/978-3-642-40164-0_8(48-59)Online publication date: 19-Aug-2013
https://dl.acm.org/doi/10.1007/978-3-642-40164-0_8
Kawamoto KIchino MHatada MOtsuki YYoshiura HKatto J(2013)Evaluation of Secular Changes in Statistical Features of Traffic for the Purpose of Malware DetectionSoftware Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing 201210.1007/978-3-642-32172-6_1(1-11)Online publication date: 2013
https://doi.org/10.1007/978-3-642-32172-6_1
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents