Internet Traffic Behavior Profiling for Network Security Monitoring

Xu, Kuai; Bhattacharyya, Supratik

doi:10.1109/tnet.2007.911438

Cited by 82 publications

(5 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The adversary may also discover compromised clients or hosts (by worms, viruses, etc.) based on traffic patterns [69,70] and select targets for future attacks. An A2 adversary can profile clients and track their activity only based on IP [42,71,73], even without cookies or when privacy browsing is being used.…”

Section: Threat Modelmentioning

confidence: 99%

“…Clients in an enterprise network (e.g., campus, corporate, or access network) are exposed to many attacks that threaten their privacy in today's connected world. For example, an Internet Protocol (IP) address can be used to identify a client and device communicating on the Internet, enabling client activity and location tracking [13,27,42,48,53,[69][70][71]73]. The problem will become more severe as enterprise networks adopt IPv6, where each client may get a persistent, publicly-routable IPv6 address that makes it easier for an adversary to locate a client and analyze its traffic [13,27,53].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

RAVEN: Stateless Rapid IP Address Variation for Enterprise Networks

Wang

Kim

Mittal

et al. 2023

PoPETs

View full text Add to dashboard Cite

Enterprise networks face increasing threats against the privacy of their clients. Existing enterprise services like Network Address Translation (NAT) offer limited privacy protection, at the cost of requiring per-flow state. In this paper, we introduce RAVEN (Rapid Address Variation for Enterprise Networks), a network-based privacy solution that is complementary to application-layer defenses. RAVEN protects privacy by frequently changing the client's public IP address. With RAVEN, a client is not limited to using a single IP address at a given time, or even for a given connection. RAVEN goes further, breaking the association between packets that belong to the same connection by frequently changing the client's IP address within a single connection. RAVEN achieves this through a novel division of labor: the client uses a transport protocol, like QUIC, that supports seamless connection migration, and decides when to switch its IP address, while the enterprise network actually changes the client's IP address in a stateless manner at line rate and ensures end-to-end packet delivery. We implement RAVEN using QUIC and off-the-shelf programmable switches. We deploy RAVEN in a test IPv6 network and evaluate its defense against webpage fingerprinting attacks. Even with a strong adversary, the average precision of the best adaptive attacks drops from 0.96 to 0.84, with a 0.5% degradation in client throughput. When RAVEN changes IP addresses at unpredictable frequency, the precision of the best attacks falls to 0.78---the same effectiveness as WTF-PAD.

show abstract

Section: Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

RAVEN: Stateless Rapid IP Address Variation for Enterprise Networks

Wang

Kim

Mittal

et al. 2023

PoPETs

View full text Add to dashboard Cite

show abstract

“…In [26], entropy was used for profiling per-host behaviour in Internet traffic. Each of the source and destination IP addresses and ports was aggregated and the entropies of the three remaining features gave a three-dimensional entropy space with a total of 27 behaviour clusters.…”

Section: Related Workmentioning

confidence: 99%

“…At this point, we will generalize the concept of the in-degree and out-degree features, used in [26] [32], which is defined by a total number of distinct source hosts per each destination host and a total number of distinct destination hosts per each source host, labelled as S[D] and D[S], respectively. Taking into consideration any other identifying features that are not used in the aggregation key, such as source and destination ports, we can additionally count the distinct occurrence of these features per aggregated element.…”

Section: Flow Feature Selectionmentioning

confidence: 99%

Entropy-based network traffic anomaly classification method resilient to deception

Ibrahim

Gajin

2022

COMSIS J

View full text Add to dashboard Cite

Entropy-based network traffic anomaly detection techniques are attractive due to their simplicity and applicability in a real-time network environment. Even though flow data provide only a basic set of information about network communications, they are suitable for efficient entropy-based anomaly detection techniques. However, a recent work reported a serious weakness of the general entropy-based anomaly detection related to its susceptibility to deception by adding spoofed data that camouflage the anomaly. Moreover, techniques for further classification of the anomalies mostly rely on machine learning, which involves additional complexity. We address these issues by providing two novel approaches. Firstly, we propose an efficient protection mechanism against entropy deception, which is based on the analysis of changes in different entropy types, namely Shannon, R?nyi, and Tsallis entropies, and monitoring the number of distinct elements in a feature distribution as a new detection metric. The proposed approach makes the entropy techniques more reliable. Secondly, we have extended the existing entropy-based anomaly detection approach with the anomaly classification method. Based on a multivariate analysis of the entropy changes of multiple features as well as aggregation by complex feature combinations, entropy-based anomaly classification rules were proposed and successfully verified through experiments. Experimental results are provided to validate the feasibility of the proposed approach for practical implementation of efficient anomaly detection and classification method in the general real-life network environment.

show abstract

“…As it is said in [7], a habitual traffic profile, called baseline, is present in communication networks. Different kind of attacks present deviations from this baseline and these features could be used to detect certain anomalies in traffic behavior (DoS [8], DDoS [9], brute force attacks [10]).…”

Section: Introductionmentioning

confidence: 99%

Network Data Unsupervised Clustering to Anomaly Detection

López-Vizcaíno¹,

Dafonte²,

Nóvoa³

et al. 2018

XoveTIC Congress 2018

View full text Add to dashboard Cite

In these days, organizations rely on the availability and security of their communication networks to perform daily operations. As a result, network data must be analyzed in order to provide an adequate level of security and to detect anomalies or malfunctions in the systems. Due to the increase of devices connected to these networks, the complexity to analyze data related to its communications also grows. We propose a method, based on Self-Organized Maps, which combine numerical and categorical features, to ease communication network data analysis. Also, we have explored the possibility of using different sources of data.

show abstract

Internet Traffic Behavior Profiling for Network Security Monitoring

Cited by 82 publications

References 29 publications

RAVEN: Stateless Rapid IP Address Variation for Enterprise Networks

RAVEN: Stateless Rapid IP Address Variation for Enterprise Networks

Entropy-based network traffic anomaly classification method resilient to deception

Network Data Unsupervised Clustering to Anomaly Detection

Contact Info

Product

Resources

About