Application-Specific Traffic Anomaly Detection Using Universal Background Model

Alizadeh, Hassan; Khoshrou, Samaeh; Zúquete, André

doi:10.1145/2713579.2713586

Cited by 4 publications

(4 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Regarding a possible evasion by a sophisticated, detection‐aware intrusion, we have defined a blend of existing real‐time methodologies for building our application‐specific profiles and described a possible anomaly detection system in order to detect intrusions in applications. We are currently working on extending our framework , for generating application‐specific profiles.…”

Section: Resultsmentioning

confidence: 99%

See 1 more Smart Citation

Traffic classification for managing Applications’ networking profiles

Alizadeh

Zúquete

2016

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

Along with the growing number of applications and end‐users, online network attacks and advanced generations of malware have continuously proliferated. Many studies have addressed the issue of intrusion detection by inspecting aggregated network traffic with no knowledge of the responsible applications/services. Such systems fail to detect intrusions in applications whenever their abnormal traffic fits into the network normality profiles. We address the problem of detecting intrusions in (known) applications when their traffic exhibits anomalies. Building traffic profiles for each separate application is the main challenge of this problem. This paper surveys traffic classification methodologies, within a taxonomy framework, to find out the best possible traffic classification methodologies that could help us answer the following question: given a traffic sample, generated by a particular application, does it conforms to the expected application's traffic? The key requirements for a practical solution are discussed. Then, the referred traffic classification methodologies are assessed in terms of their capabilities, limitations and challenges for being used as a part of this solution. The approaches based on “multiple sub‐flows” have shown the potential to be used for building robust and practical per‐application profiles in near real‐time. An overview of a blend of real‐time approaches is also described. Copyright © 2016 John Wiley & Sons, Ltd.

show abstract

Section: Resultsmentioning

confidence: 99%

“…In , we proposed a detection system that exploits application‐specific traffic profiles in order to validate the genuinity of a claimed application. Unlike binary classifiers, each specific profile is built only from normal traffic instances of one specific application.…”

Section: Discussionmentioning

confidence: 99%

Traffic classification for managing Applications’ networking profiles

Alizadeh

Zúquete

2016

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

show abstract

“…These methods have the ability to provide near real-time detection with high accuracy levels. However, as for payload-based classification, also payload-based verification suffers from high computational costs, privacy concerns, and difficulties when dealing with encrypted or otherwise securely encapsulated traffic [39]. Alternative approaches utilise the information available in the non-encrypted IP packet header and analyse statistical characteristics of flows regardless of packet payload.…”

Section: B Traffic Verificationmentioning

confidence: 99%

“…To meet the first requirement, we proposed architectures that provide a binding between network traffic and source application that allows checking whether a packet/flow claimed by an application conforms to its expected traffic model [42], [43]. For the second requirement, we proposed GMM with automatic learning to model per-application traffic [2], [39], [44]. However, our prior application-specific models were still trained with features obtained from the entire packet flows and were not accurate enough for detecting anomalies in a timely manner before the end of a flow.…”

Section: B Traffic Verificationmentioning

confidence: 99%

Timely Classification and Verification of Network Traffic Using Gaussian Mixture Models

et al. 2020

Self Cite

View full text Add to dashboard Cite

We present a novel approach for timely classification and verification of network traffic using Gaussian Mixture Models (GMMs). We generate a separate GMM for each class of applications using component-wise expectation-maximization (CEM) to match the network traffic distribution generated by these applications. We apply our models for both traffic classification, where the goal is to identify the source application from which the traffic originates, by evaluating the maximum posterior probability, and for traffic verification, where the goal is to verify whether the application that claims to be the source of the traffic is as expected, by likelihood testing. Our models use only the first initial packets of truncated flows in order to provide more efficient and timely traffic classification and verification. This allows for triggering timely countermeasures before the end of flows. We demonstrate the effectiveness of our approach by experiments on a public dataset collected from a real network. Our traffic classification approach outperforms other state-of-the-art approaches that are based on machine learning, and achieves up to 97.7% flow classification accuracy when using only 9 first initial packets of flows. We show that 96.6% flow classification accuracy can still be obtained when training the GMMs using only 0.5% of all flows. Our traffic verification approach achieves a minimum Half Total Error Rate (HTER) of 7.65% when using only 6 first initial packets of flows.INDEX TERMS Gaussian mixture model (GMM), traffic classification, traffic anomaly detection.

show abstract