Abstract
The discovery and description of the IP traffic behavior is of great significance for both network operation management and network security monitoring. Researches demonstrate that there are some similarities of the traffic behavior among different IPs, hence, they can be clustered based on the behavior similarity. These similar traffic behaviors can be depicted by a specific behavior pattern called IP address role in our work. Towards this end, a unidirectional IP flow record is used to represent an independent IP activity. The traffic behavior metrics are defined in four dimensions including the duration time, the peer address, the application types and the number of packets and bytes contained in the flow, which corresponds to temporal dimension, spatial dimension, category dimension and intensity dimension, respectively. Nine single-attribute and thirty-nine dual-attribute metrics are extracted from four dimensions to compose the IP address traffic characteristic spectrum, which is used to profile the behavior of all IPs in the observed network and provide the data for the behavior description of each class of IP. These classes are established by a characteristic spectrum matched IP address role mining algorithm designed in this paper. NetFlow data collected from some border routers of China Education Research Network backbone (CERNET) is used to verify the method. Experimental results demonstrate that our approach can be applied to anomaly behavior detection and mainstream behavioral habits analysis.
Similar content being viewed by others
References
Chen, L., Gong, J.: Fast application-level traffic classification using NetFlow records. J. Commun. 33(1), 145–152 (2012)
Chen, Y., Hwang, K., Ku, W.S.: Collaborative Detection of DDoS attacks over multiple network domains. IEEE Trans. Parallel Distrib. Syst. 18(12), 1649–1662 (2007)
Cui, S., Li, W., Yi, L., Li, C., Zhu, L., Jiang, Z.: A bibliometrical analysis of status on animal behavior in China. Acta Theriol Sin 36(4), 476–484 (2017)
Fayaz, S.K., Tobioka, Y., Sekar, V.: Bohatei: flexible and elastic DDoS defense. In: USENIX, pp. 817–832 (2015)
Gañán, C., Cetin, O., van Eeten, M.: An empirical analysis of ZeuS C&C lifetime. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security (ASIA CCS '15), pp 97–108. ACM, New York (2015)
Gong, J., Zang, X.D., Su, Q., Hu, X.Y., Xu, J.: Survey of network security situation awareness. J. Softw. 28(4), 1010–1026 (2017)
Grill, M., Nikolaev, I., Valeros, V., Rehak, M.: Detecting DGA malware using NetFlow. In: IFIP/IEEE International Symposium on Integrated Network Management, pp. 1304–1309 (2015)
Himura, Y., Fukuda, K., Cho, K., Borgnat, P., Abry, P., Esaki, H.: Synoptic graphlet: bridging the gap between supervised and unsupervised profiling of host-level network traffic. IEEE/ACM Trans. Netw. 21(4), 1284–1297 (2013)
Hoque, N., Bhattacharyya, D.K., Kalita, J.K.: Botnet in DDoS attacks: trends and challenges. IEEE Commun. Surv. Tutor. 17(4), 2242–2270 (2015)
Iliofotou, M., Gallagher, B., Eliassi-Rad, T., Xie, G., Faloutsos, M.: Profiling-by-association: a resilient traffic profiling solution for the internet backbone. In: Proceedings of the 6th International Conference, Philadelphia, Pennsylvania (2010)
Jakalan, A., Jian, G., Zhang, W., Qi, S.: Clustering and profiling ip hosts based on traffic behavior. Comput. Netw. 100, 99–107 (2016a)
Jakalan, A., Gong, J., Su, Q., Hu, X., Abdelgder, A.M.S.: Social relationship discovery of IP addresses in the managed IP networks by observing traffic at network boundary. Comput. Netw. 100, 12–27 (2016b)
Jiang, H., Ge, Z., Jin, S., Wang, J.: Network prefix-level traffic profiling: characterizing, modeling and evaluation. Comput. Netw. 54(18), 3327–3340 (2010)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: BLINC: multilevel traffic classification in the dark. Proc. ACM SIGCOMM 35(4), 229–240 (2005)
Kheir, N.: Behavioral classification and detection of malware through HTTP user agent anomalies. J. Inf. Secur. Appl. 18(1), 2–13 (2013)
Kozik, R.: Distributing extreme learning machines with Apache Spark for NetFlow-based malware activity detection. Pattern Recognit. Lett. 101, 14–20 (2018)
Krishna Reddy, P., Kitsuregawa, M., Sreekanth, P., Srinivasa Rao, S.: A graph based approach to extract a neighborhood customer community for collaborative filtering. Databases Netw. Inf. Syst. 2544, 188–200 (2002)
Deri, L.: Open source VoIP traffic monitoring. http://131.114.21.22/VoIP.pdfS.Retrieved Accessed 3 June 2012
Lee, D.J., Brownlee, N., Host measurement of network traffic. In: Telecommunication Networks and Applications Conference, pp. 282–287 (2007)
Li, B., Springer, J., Bebis, G., Gunes, M.H.: A survey of network flow applications. J. Netw. Comput. Appl. 36(2), 567–581 (2013)
Marnerides, A.K., Schaeffer-Filho, A., Mauthe, A.: Traffic anomaly diagnosis in Internet backbone networks: a survey. Comput. Netw. 73, 224–243 (2014)
Miao, L.H., Ding, W., Yang, W.: Extracting and analyzing internet background radiation in live networks. J. Softw. 26(3), 663–679 (2015)
Saied, A., Overill, R.E., Radzik, T.: Detection of known and unknown DDoS attacks using Artificial Neural Networks. Neurocomputing 172, 385–393 (2016)
Schatzmann, D., Mühlbauer, W., Spyropoulos, T., et al.: Digging into HTTPS: flow-based classification of webmail traffic. In: 10th ACM SIGCOMM Conference on Internet Measurement, pp 322–327 (2010)
Umer, M.F.S., Yaxin, M.B.: Flow-based intrusion detection: techniques and challenges. Comput. Secur. 70, 238–254 (2017)
Umer, M.F., Sher, M., Bi, Y.: Flow-based intrusion detection: techniques and challenges. Comput. Secur. 70, 238–254 (2017)
Wei, S., Mirkovic, J., Kissel, E.: Profiling and clustering internet hosts. In: Proceedings of the International Conference on Data Mining, pp. 269–275 (2006)
Weijie, G.: The parallel and implementation for network behavior observations system. (MS. Thesis), Southeast University, pp. 3–20 (2010)
Xiao, J.Q., Wang, D.: Construction of behavioral spectrum of the Yangtze finless porpoise in captivity. Acta Hydrobiol. Sin. 29(03), 253–258 (2005)
Xu, K., Wang, F., Gu, L.: Network-aware behavior clustering of internet end hosts. In: INFOCOM, pp. 2078–2086 (2011)
Xu, K., Wang, F., Gu, L.: Behavior analysis of internet traffic via bipartite graphs and one-mode projections. IEEE/ACM Trans. Netw. 22(3), 931–942 (2014)
Zhao, D., Traore, I., Sayed, B., Lub, W., Saad, S., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013a)
Zhao, D., Traore, I., Sayed, B., Wei, L., Saad, H., Ghorbani, A., Garant, D.: Botnet detection based on traffic behavior analysis and flow intervals. Comput. Secur. 39, 2–16 (2013b)
Zheng, D.L.: Behavioral ecologic research on several kinds of Africa herbivores in semi-nature. [Master Theisi], Shandong Normal University, pp. 3–15 (2005)
Acknowledgements
This work was conducted under the support of Jiangsu Key Laboratory of Computer Networking Technology and the Key Laboratory of Computer Network and Information Integration (Southeast University), Ministry of Education, and some projects including the National Natural Science Foundation of China under Grant (No. 61602114), CERNET Innovation Project (No. NGII20170406) and Key Research and Development Program of China under Grant (No. 2017YFB0801703). Any opinions, findings and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of those sponsors.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zang, X., Gong, J., Huang, S. et al. IP backbone traffic behavior characteristic spectrum composing and role mining. CCF Trans. Netw. 2, 153–171 (2019). https://doi.org/10.1007/s42045-019-00023-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s42045-019-00023-9