TY - GEN
T1 - A flow analysis for mining traffic anomalies
AU - Kanda, Yoshiki
AU - Fukuda, Kensuke
AU - Sugawara, Toshiharu
PY - 2010
Y1 - 2010
N2 - Although analyzing anomalous network traffic behavior is a popular research topic, few studies have been undertaken on the analysis of communication pattern per host based on their flows to characterize the anomalous Internet traffic. This paper discusses the possibility of using a flow-based communication pattern per host as a metric to identify anomalies. The key idea underlining our method is that scanning worm-infected hosts reveal the intrinsic characteristics of host's communication pattern and such patterns are distinguishable from those of other hosts. In particular, we found that scanning of worm-infected hosts that generated a lot of flows revealed the intrinsic communication pattern and the pattern could be classified from those of other hosts by k-means clustering.We also found that our flow-based metric could isolate the anomalies that have little influence upon the volumetric information of traffic and flow as "lines", which is remarkable in that the hosts that caused the hidden anomalies were mined out.
AB - Although analyzing anomalous network traffic behavior is a popular research topic, few studies have been undertaken on the analysis of communication pattern per host based on their flows to characterize the anomalous Internet traffic. This paper discusses the possibility of using a flow-based communication pattern per host as a metric to identify anomalies. The key idea underlining our method is that scanning worm-infected hosts reveal the intrinsic characteristics of host's communication pattern and such patterns are distinguishable from those of other hosts. In particular, we found that scanning of worm-infected hosts that generated a lot of flows revealed the intrinsic communication pattern and the pattern could be classified from those of other hosts by k-means clustering.We also found that our flow-based metric could isolate the anomalies that have little influence upon the volumetric information of traffic and flow as "lines", which is remarkable in that the hosts that caused the hidden anomalies were mined out.
UR - http://www.scopus.com/inward/record.url?scp=77955412204&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=77955412204&partnerID=8YFLogxK
U2 - 10.1109/ICC.2010.5502463
DO - 10.1109/ICC.2010.5502463
M3 - Conference contribution
AN - SCOPUS:77955412204
SN - 9781424464043
T3 - IEEE International Conference on Communications
BT - 2010 IEEE International Conference on Communications, ICC 2010
T2 - 2010 IEEE International Conference on Communications, ICC 2010
Y2 - 23 May 2010 through 27 May 2010
ER -