|
 ABSTRACT
While the problem of analyzing network traffic at the granularity of individual connections has seen considerable previous work and tool development, understanding traffic at a higher level - the structure of user-initiated sessions comprised of groups of related connections - remains much less explored. Some types of session structure, such as the coupling between an FTP control connection and the data connections it spawns, have prespecified forms, though the specifications do not guarantee how the forms appear in practice. Other types of sessions, such as a user reading email with a browser, only manifest empirically. Still other sessions might exist without us even knowing of their presence, such as a botnet zombie receiving instructions from its master and proceeding in turn to carry them out. We present algorithms rooted in the statistics of Poisson processes that can mine a large corpus of network connection logs to extract the apparent structure of application sessions embedded in the connections. Our methods are semi-automated in that we aim to present an analyst with high-quality information (expressed as regular expressions) reflecting different possible abstractions of an application's session structure. We develop and test our methods using traces from a large Internet site, finding diversity in the number of applications that manifest, their different session structures, and the presence of abnormal behavior. Our work has applications to traffic characterization and monitoring, source models for synthesizing network traffic, and anomaly detection.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
 |
1
|
|
| |
2
|
A. Blum, D. Song, and S. Venkataraman. Detection of interactive stepping stones: Algorithms and confidence bounds. In 7th International Symposium on Recent Advances in Intrusion Detection (RAID 2004), pages 20--29, Sep 2004.
|
| |
3
|
|
| |
4
|
K. Claffy, H.-W. Braun, and G. Polyzos. A parameterizable methodology for internet traffic flow profiling. IEEE JSAC, 13(8):1481--1494, 1995.
|
| |
5
|
M. Costa, J. Crowcroft, M. Castro, A. Rowstron, C. Shannon, and J. Brown. Can we contain Internet worms? In Proc. HOTNETS, 2004.
|
| |
6
|
|
| |
7
|
|
| |
8
|
W. Cui, V. Paxson, N. Weaver, and R. H. Katz. Protocol-Independent Adaptive Replay of Application Dialog. In Proc. NDSS, San Deigo, CA, Feb 2006.
|
| |
9
|
P. Danzig, S. Jamin, R. Caceres, D. Mitzel, and D. Estrin. "an empirical workload model for driving wide-area tcpip network simulations". Internetworking: Research and Experience, 3(1):1--26, 1992.
|
| |
10
|
|
| |
11
|
H. Fowler and W. Leland. Local area network traffic characteristics, with implications for broadband network congestion management. IEEE JSAC, 9(7):1139--1149, 1991.
|
| |
12
|
Finite State Automata Utilities (version 6.2). http://odur.let.rug.nl/~ vannoord/Fsa/.
|
| |
13
|
Graphviz - Graph Visualization Software. http://www.graphviz.org/.
|
| |
14
|
S. Heimlich. Traffic characterization of the nsfnet national backbone. In Proc. Winter USENIX Conference, 1990.
|
| |
15
|
R. Jain and S. Routhier. Packet trains - measurements and a new model for computer network traffic. IEEE JSAC, 4(6):986--995, 1986.
|
| |
16
|
J. Kannan, J. Jung, V. Paxson, and C. E. Koksal. Detecting hidden causality in network connections. Technical report, University of California, Berkeley, 2005.
|
| |
17
|
A. Kumar, V. Paxson, and N. Weaver. Exploiting underlying structure for detailed reconstruction of an internet-scale event. In Proc. ACM IMC, Oct 2005.
|
| |
18
|
|
| |
19
|
Justin Ma , Kirill Levchenko , Christian Kreibich , Stefan Savage , Geoffrey M. Voelker, Unexpected means of protocol inference, Proceedings of the 6th ACM SIGCOMM on Internet measurement, October 25-27, 2006, Rio de Janeriro, Brazil
[doi> 10.1145/1177080.1177123]
|
| |
20
|
Daniel A. Menascé , Virgilio A. F. Almeida , Rodrigo Fonseca , Marco A. Mendes, A methodology for workload characterization of E-commerce sites, Proceedings of the 1st ACM conference on Electronic commerce, p.119-128, November 03-05, 1999, Denver, Colorado, United States
[doi> 10.1145/336992.337024]
|
| |
21
|
Vern Paxson, End-to-end Internet packet dynamics, Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication, p.139-152, September 14-18, 1997, Cannes, France
[doi> 10.1145/263105.263155]
|
| |
22
|
|
| |
23
|
J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proc. NDSS, 2005.
|
| |
24
|
|
| |
25
|
Jitendra Padhye , Victor Firoiu , Don Towsley , Jim Kurose, Modeling TCP throughput: a simple model and its empirical validation, Proceedings of the ACM SIGCOMM '98 conference on Applications, technologies, architectures, and protocols for computer communication, p.303-314, August 31-September 04, 1998, Vancouver, British Columbia, Canada
[doi> 10.1145/285237.285291]
|
| |
26
|
|
| |
27
|
Vern Paxson, Automated packet trace analysis of TCP implementations, Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication, p.167-179, September 14-18, 1997, Cannes, France
[doi> 10.1145/263105.263160]
|
| |
28
|
Vern Paxson, End-to-end Internet packet dynamics, Proceedings of the ACM SIGCOMM '97 conference on Applications, technologies, architectures, and protocols for computer communication, p.139-152, September 14-18, 1997, Cannes, France
[doi> 10.1145/263105.263155]
|
| |
29
|
|
| |
30
|
TCP Ports List, UDP Ports List. http://seifried.org/security/ports.
|
| |
31
|
The Protocol Informatics Project. http:www.//baselineresearch.net/PI/.
|
| |
32
|
S. M. Ross. Introduction to Probability Models, 8th Edition. Academic Press, 2003.
|
| |
33
|
F. Donelson Smith , Félix Hernández Campos , Kevin Jeffay , David Ott, What TCP/IP protocol headers can tell us about the web, Proceedings of the 2001 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, p.245-256, June 2001, Cambridge, Massachusetts, United States
[doi> 10.1145/378420.378789]
|
| |
34
|
S. Staniford, S. Cheung, R. Crawford, M. Dilger, J. Frank, J. Hoagland, K. Levitt, C. Wee, R. Yip, and D. Zerkle. GrIDS - A graph-based intrusion detection system for large networks. In Proc. National Information Systems Security Conference, 1996.
|
| |
35
|
|
| |
36
|
Timbuktu Pro Remote Control Software. http://www.netopia.com/software/productst/b2/.
|
| |
37
|
Walter Willinger , Murad S. Taqqu , Robert Sherman , Daniel V. Wilson, Self-similarity through high-variability: statistical analysis of ethernet LAN traffic at the source level, Proceedings of the conference on Applications, technologies, architectures, and protocols for computer communication, p.100-113, August 28-September 01, 1995, Cambridge, Massachusetts, United States
[doi> 10.1145/217382.217418]
|
| |
38
|
|
| |
39
|
|
| |
40
|
Yin Zhang , Lee Breslau , Vern Paxson , Scott Shenker, On the characteristics and origins of internet flow rates, Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications, August 19-23, 2002, Pittsburgh, Pennsylvania, USA
[doi> 10.1145/633025.633055]
|
| |
41
|
|
| |
42
|
Y. Zhang and V. Paxson. Detecting Stepping Stones. In Proc. 9th USENIX Security Symposium, Denver, CO, Aug 2000.
|
CITED BY 8
|
|
|
|
|
Juan Caballero , Heng Yin , Zhenkai Liang , Dawn Song, Polyglot: automatic extraction of protocol message format using dynamic binary analysis, Proceedings of the 14th ACM conference on Computer and communications security, October 28-31, 2007, Alexandria, Virginia, USA
|
|
|
Weidong Cui , Marcus Peinado , Karl Chen , Helen J. Wang , Luis Irun-Briz, Tupni: automatic reverse engineering of input formats, Proceedings of the 15th ACM conference on Computer and communications security, October 27-31, 2008, Alexandria, Virginia, USA
|
|
|
|
|
|
Zhichun Li , Anup Goyal , Yan Chen , Vern Paxson, Automating analysis of large-scale botnet probing events, Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, March 10-12, 2009, Sydney, Australia
|
|
|
|
|
|
Juan Caballero , Pongsin Poosankam , Christian Kreibich , Dawn Song, Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering, Proceedings of the 16th ACM conference on Computer and communications security, November 09-13, 2009, Chicago, Illinois, USA
|
|
|
Lucian Popa , Byung-Gon Chun , Ion Stoica , Jaideep Chandrashekar , Nina Taft, Macroscope: end-point approach to networked application dependency discovery, Proceedings of the 5th international conference on Emerging networking experiments and technologies, December 01-04, 2009, Rome, Italy
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
C.2