دانلود رایگان مقاله رد پای فعالیت - زمان در ترافیک IP

Abstract

This paper studies the temporal behavior of communication flows in the Internet. Characterization of flows by temporal patterns supports traffic classification and filtering for network management and network security in situations where full packet data is not accessible (e.g., obfuscated or encrypted traffic) or cannot be analyzed due to privacy concerns or resource limitations. In this paper we define a time activity feature vector that describes the temporal behavior of flows. Later, we use cluster analysis to capture the most common time activity patterns in real internet traffic using traces from the MAWI dataset. We discovered a set of seven time-activity footprints and show that 95.3% of the analyzed flows can be characterized based on such footprints, which represent different behaviors for the three main protocols (4 in TCP, 1 in ICMP and 2 in UDP). In addition, we found that the majority of the observed flows consisted of short, one-time bursts. An in-depth inspection revealed, besides some DNS traffic, the preponderance of a large number of scanning, probing, DoS attacks and backscatter traffic in the network. Flows transmitting meaningful data became outliers among short, one-time bursts of unwanted traffic.

11. Conclusion

In this paper we investigated the temporal behavior of communication flows in IP networks. We defined a time activity feature vector that captures the temporal behavior of flows. The analysis of the feature vectors by clustering algorithms discovered seven timeactivity footprints, namely T1, T2, T3, T4, I1, U1 and U2, embracing all together 95.3% of all flows. Time-activity patterns detected massive events that showed well-delimited shapes in the time-activity expression and were bound to the following communication phenomena: • T1 identified TCP unsuccessful connection attempts and, eventually, abnormal TCP scanning. • T2 identified a TCP Tsunami SYN Flood attack and answers to UDP DNS queries within a specific packet size range. • T3 identified TCP horizontal scans and UDP horizontal scans with no payload. In a lower proportion, TCP flows from scanned hosts. • T4 identified servers rejecting TCP reconnection attempts, retransmitted SYN from waiting clients and overloaded servers suffering DoS attacks.