Detecting malicious network traffic using inverse distributions of packet contents

Vijay Karamcheti; Davi Geiger; Zvi Kedem; S. Muthukrishnan

doi:10.1145/1080173.1080176

Detecting malicious network traffic using inverse distributions of packet contents

Vijay Karamcheti, Davi Geiger, Zvi Kedem, S. Muthukrishnan

Computer Science

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.

Original language	English (US)
Title of host publication	Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005
Pages	165-170
Number of pages	6
DOIs	https://doi.org/10.1145/1080173.1080176
State	Published - Dec 1 2005
Event	ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005 - Philadelphia, PA, United States Duration: Aug 26 2005 → Aug 26 2005

Publication series

Name	Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005

Other

Other	ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005
Country	United States
City	Philadelphia, PA
Period	8/26/05 → 8/26/05

Keywords

content analysis
inverse distribution
worms

ASJC Scopus subject areas

Computer Science Applications

Access to Document

10.1145/1080173.1080176

Cite this

Karamcheti, V., Geiger, D., Kedem, Z., & Muthukrishnan, S. (2005). Detecting malicious network traffic using inverse distributions of packet contents. In Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005 (pp. 165-170). (Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005). https://doi.org/10.1145/1080173.1080176

Detecting malicious network traffic using inverse distributions of packet contents. / Karamcheti, Vijay; Geiger, Davi ; Kedem, Zvi; Muthukrishnan, S.

Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005. 2005. p. 165-170 (Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Karamcheti, V, Geiger, D , Kedem, Z & Muthukrishnan, S 2005, Detecting malicious network traffic using inverse distributions of packet contents. in Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005. Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005, pp. 165-170, ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005, Philadelphia, PA, United States, 8/26/05. https://doi.org/10.1145/1080173.1080176

@inproceedings{aa6bb4f83bec47c1b55ba9a3e1b09acd,

title = "Detecting malicious network traffic using inverse distributions of packet contents",

abstract = "We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its {"}static{"} collection of bumps, but also in its nascent {"}dynamic{"} state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.",

keywords = "content analysis, inverse distribution, worms",

author = "Vijay Karamcheti and Davi Geiger and Zvi Kedem and S. Muthukrishnan",

year = "2005",

month = dec,

day = "1",

doi = "10.1145/1080173.1080176",

language = "English (US)",

isbn = "1595930264",

series = "Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005",

pages = "165--170",

booktitle = "Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005",

note = "ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005 ; Conference date: 26-08-2005 Through 26-08-2005",

}

TY - GEN

T1 - Detecting malicious network traffic using inverse distributions of packet contents

AU - Karamcheti, Vijay

AU - Geiger, Davi

AU - Kedem, Zvi

AU - Muthukrishnan, S.

PY - 2005/12/1

Y1 - 2005/12/1

N2 - We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.

AB - We study the problem of detecting malicious IP traffic in the network early, by analyzing the contents of packets. Existing systems look at packet contents as a bag of substrings and study characteristics of its base distribution B where B(i) is the frequency of substring i.We propose studying the inverse distribution I where I(f) is the number of substrings that appear with frequency f. As we show using a detailed case study, the inverse distribution shows the emergence of malicious traffic very clearly not only in its "static" collection of bumps, but also in its nascent "dynamic" state when the phenomenon manifests itself only as a distortion of the inverse distribution envelope. We describe our probabilistic analysis of the inverse distribution in terms of Gaussian mixtures, our preliminary solution for discovering these bumps automatically. Finally, we briefly discuss challenges in analyzing the inverse distribution of IP contents and its applications.

KW - content analysis

KW - inverse distribution

KW - worms

UR - http://www.scopus.com/inward/record.url?scp=79251558204&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=79251558204&partnerID=8YFLogxK

U2 - 10.1145/1080173.1080176

DO - 10.1145/1080173.1080176

M3 - Conference contribution

AN - SCOPUS:79251558204

SN - 1595930264

SN - 9781595930262

T3 - Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005

SP - 165

EP - 170

BT - Proceedings of ACM SIGCOMM 2005 Workshop on Mining Network Data, MineNet 2005

T2 - ACM SIGCOMM 2005 1st Workshop on Mining Network Data, MineNet 2005

Y2 - 26 August 2005 through 26 August 2005

ER -