Exploring Graph-Based Network Traffic Monitoring

IEEE INFOCOM Workshops 2009 Pub Date : 2009-04-19 DOI:10.1109/INFCOMW.2009.5072143

Marios Iliofotou

{"title":"Exploring Graph-Based Network Traffic Monitoring","authors":"Marios Iliofotou","doi":"10.1109/INFCOMW.2009.5072143","DOIUrl":null,"url":null,"abstract":"Monitoring network traffic and classifying applications are essential functions for network administrators. These tasks are becoming increasingly challenging since (a) many applications obfuscate their traffic using nonstandard ports, and (b) new applications constantly appear. This suggests the need for a behavioral-based approach, where the detector looks for fundamental behaviors of the application that are both intrinsic to the application and distinct from normal traffic. Identifying intrinsic behaviors makes it difficult for application writers to disguise such behaviors without defeating the very purpose of the application. In this paper, we propose a graph-based representation of network traffic which captures the network-wide interactions of applications. In these graphs, nodes are individual IP address and edges between nodes represent particular communications. For example, an edge might represent the exchange of a single packet, or the exchange of at least ten packets of any type. We call such graphs \"Traffic Dispersion Graphs\" or TDGs [3]. As a proof of concept we show that our proposed graph-based classifier out-perfoms BLINC [4] in detecting P2P traffic on backbone links. Our results are very promising, showing that TDGs can provide the basis for the next generation of network monitoring tools.","PeriodicalId":252414,"journal":{"name":"IEEE INFOCOM Workshops 2009","volume":"190 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-04-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"9","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE INFOCOM Workshops 2009","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/INFCOMW.2009.5072143","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 9

Abstract

Monitoring network traffic and classifying applications are essential functions for network administrators. These tasks are becoming increasingly challenging since (a) many applications obfuscate their traffic using nonstandard ports, and (b) new applications constantly appear. This suggests the need for a behavioral-based approach, where the detector looks for fundamental behaviors of the application that are both intrinsic to the application and distinct from normal traffic. Identifying intrinsic behaviors makes it difficult for application writers to disguise such behaviors without defeating the very purpose of the application. In this paper, we propose a graph-based representation of network traffic which captures the network-wide interactions of applications. In these graphs, nodes are individual IP address and edges between nodes represent particular communications. For example, an edge might represent the exchange of a single packet, or the exchange of at least ten packets of any type. We call such graphs "Traffic Dispersion Graphs" or TDGs [3]. As a proof of concept we show that our proposed graph-based classifier out-perfoms BLINC [4] in detecting P2P traffic on backbone links. Our results are very promising, showing that TDGs can provide the basis for the next generation of network monitoring tools.

查看原文本刊更多论文

探索基于图的网络流量监控

网络流量监控和应用分类是网络管理员必备的功能。这些任务正变得越来越具有挑战性，因为(a)许多应用程序使用非标准端口混淆它们的流量，以及(b)新的应用程序不断出现。这表明需要一种基于行为的方法，在这种方法中，检测器寻找应用程序的基本行为，这些行为既是应用程序固有的，又是与正常流量不同的。识别内在行为使得应用程序编写者很难在不违背应用程序真正目的的情况下掩饰这些行为。在本文中，我们提出了一种基于图的网络流量表示，它捕获了应用程序在网络范围内的交互。在这些图中，节点是单独的IP地址，节点之间的边表示特定的通信。例如，一条边可以表示单个数据包的交换，或者至少十个任何类型的数据包的交换。我们称这种图为“交通离散图”或tdg[3]。作为概念证明，我们提出的基于图的分类器在检测骨干链路上的P2P流量方面优于blinc[4]。我们的结果非常有希望，表明tdg可以为下一代网络监控工具提供基础。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

IEEE INFOCOM Workshops 2009

自引率

0.00%

发文量