In this thesis, we address three major issues in analyzing network traffic using statistical signal processing methods:
Network traffic control and data planes. We decompose enterprise LAN TCP traffic into control and data planes. We use the control plane traffic as a surrogate for the whole combined traffic to increase the efficiency and scalability of network traffic analysis. We show that the two traffic groups have similar behavior through visual plots and multivariate statistical analysis. We compare the two traffic groups using the cross-correlation function and show that dissimilarity between them is an indication of abnormal behavior. We also study the Long-Range Dependence (LRD) behavior of the two groups based on the traffic's direction and find that this allows us to focus on smaller segments of the traffic.
Detect periodic behavior in network traffic. We develop an efficient, robust, multivariate approach method to detect periodic behavior in network traffic. The method is based on evaluating the periodogram of several count-feature sequences of the traffic trace and testing the significance of the peak of each periodogram.
Botnet command and control (C2) communication channels traffic. In many botnet variants, bots periodically exchange code and updates. We detect bots by detecting the periodic behavior of their C2 traffic. We use SLINGbot to implement two variants of botnets, TinyP2P and IRC, and show that C2 traffic of both exhibits periodic behavior. We add background and random noise traffic to C2 traffic to test the performance of the method. We find that address count sequences are more robust than to background traffic since the number of hosts that a given host communicates with during a certain time window is relatively small, hence its effect on the address count is small. We show that the methods performance increases with the increase of the duty cycle and/or the length of the observed traffic, and decreases with the decrease of the period length. Finally, we compare the periodic behavior of C2 traffic to the periodic behavior of E-mail traffic and explain that they can be easily distinguished because E-mail communication traffic uses well known port numbers.
|School:||Carnegie Mellon University|
|School Location:||United States -- Pennsylvania|
|Source:||DAI-B 71/02, Dissertation Abstracts International|
|Subjects:||Electrical engineering, Computer science|
|Keywords:||Botnets, Long-range dependence, Network traffic|
Copyright in each Dissertation and Thesis is retained by the author. All Rights Reserved
The supplemental file or files you are about to download were provided to ProQuest by the author as part of a
dissertation or thesis. The supplemental files are provided "AS IS" without warranty. ProQuest is not responsible for the
content, format or impact on the supplemental file(s) on our system. in some cases, the file type may be unknown or
may be a .exe file. We recommend caution as you open such files.
Copyright of the original materials contained in the supplemental file is retained by the author and your access to the
supplemental files is subject to the ProQuest Terms and Conditions of use.
Depending on the size of the file(s) you are downloading, the system may take some time to download them. Please be