Abstract
We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.
Original language | English (US) |
---|---|
Title of host publication | Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005 |
Pages | 165-170 |
Number of pages | 6 |
DOIs | |
State | Published - 2005 |
Event | ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005 - Philadelphia, PA, United States Duration: Aug 26 2005 → Aug 26 2005 |
Other
Other | ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005 |
---|---|
Country | United States |
City | Philadelphia, PA |
Period | 8/26/05 → 8/26/05 |
Keywords
- content analysis
- inverse distribution
- worms
ASJC Scopus subject areas
- Computer Science Applications
Cite this
Detecting malicious network traffic using inverse distributions of packet contents. / Karamcheti, Vijay; Geiger, Davi; Kedem, Zvi; Muthukrishnan, Shanmugavelayutham.
Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005. 2005. p. 165-170.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - Detecting malicious network traffic using inverse distributions of packet contents
AU - Karamcheti, Vijay
AU - Geiger, Davi
AU - Kedem, Zvi
AU - Muthukrishnan, Shanmugavelayutham
PY - 2005
Y1 - 2005
N2 - We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.
AB - We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.
KW - content analysis
KW - inverse distribution
KW - worms
UR - http://www.scopus.com/inward/record.url?scp=79251558204&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79251558204&partnerID=8YFLogxK
U2 - 10.1145/1080173.1080176
DO - 10.1145/1080173.1080176
M3 - Conference contribution
AN - SCOPUS:79251558204
SN - 1595930264
SN - 9781595930262
SP - 165
EP - 170
BT - Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005
ER -