Detecting Anomalous Traffic using Communication Graphs

Konferenz: WTC - World Telecommunications Congress 2010 - Telecommunications: The Infrastructure for the 21st Century
13.09.2010 - 14.09.2010 in Vienna, Austria

Tagungsband: WTC - World Telecommunications Congress 2010

Seiten: 6Sprache: EnglischTyp: PDF

Persönliche VDE-Mitglieder erhalten auf diesen Artikel 10% Rabatt

Ishibashi, Keisuke; Kondoh, Tsuyoshi (NTT Information Sharing Platform Laboratories, Japan)
Harada, Shigeaki (NTT-WEST Research and Development Center, Japan)
Mori, Tatsuya; Kawahara, Ryoichi (NTT Service Integration Laboratories, Japan)
Asano, Shoichiro (National Institute of Informatics, Japan)

We present a method to detect anomalies in a time series of inter-host communication patterns. There are many existing methods for anomaly detection in a time series of traffic volume data, such as number of packets or bytes. However, there is no established method detecting anomalies in a time series of communication patterns that can be represented as graphs. Extracting communication structure enables us to identify low-intensity anomalous network events, e.g., botnet command and control communications, which cannot be detected with conventional volume-based anomaly detection schemes. In this paper, we first define the similarity of two graphs, and then we present a method to detect any anomalous graph that has little similarity with other graphs. This method was evaluated with actual traffic data, and anomalous graphs in which new clusters appeared were detected.