Detecting malicious network traffic using inverse distributions of packet contents

Vijay Karamcheti, Davi Geiger, Zvi Kedem, S. Muthukrishnan

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.

Original languageEnglish (US)
Title of host publicationProceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005
Pages165-170
Number of pages6
DOIs
StatePublished - Dec 1 2005
EventACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005 - Philadelphia, PA, United States
Duration: Aug 26 2005Aug 26 2005

Publication series

NameProceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005

Other

OtherACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005
CountryUnited States
CityPhiladelphia, PA
Period8/26/058/26/05

Keywords

  • content analysis
  • inverse distribution
  • worms

ASJC Scopus subject areas

  • Computer Science Applications

Cite this

Karamcheti, V., Geiger, D., Kedem, Z., & Muthukrishnan, S. (2005). Detecting malicious network traffic using inverse distributions of packet contents. In Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005 (pp. 165-170). (Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005). https://doi.org/10.1145/1080173.1080176