Detecting Anomalous Traffic using Communication Graphs

Conference: WTC - World Telecommunications Congress 2010 - Telecommunications: The Infrastructure for the 21st Century
09/13/2010 - 09/14/2010 at Vienna, Austria

Proceedings: WTC - World Telecommunications Congress 2010

Pages: 6Language: englishTyp: PDF

Personal VDE Members are entitled to a 10% discount on this title

Authors:
Ishibashi, Keisuke; Kondoh, Tsuyoshi (NTT Information Sharing Platform Laboratories, Japan)
Harada, Shigeaki (NTT-WEST Research and Development Center, Japan)
Mori, Tatsuya; Kawahara, Ryoichi (NTT Service Integration Laboratories, Japan)
Asano, Shoichiro (National Institute of Informatics, Japan)

Abstract:
We present a method to detect anomalies in a time series of inter-host communication patterns. There are many existing methods for anomaly detection in a time series of traffic volume data, such as number of packets or bytes. However, there is no established method detecting anomalies in a time series of communication patterns that can be represented as graphs. Extracting communication structure enables us to identify low-intensity anomalous network events, e.g., botnet command and control communications, which cannot be detected with conventional volume-based anomaly detection schemes. In this paper, we first define the similarity of two graphs, and then we present a method to detect any anomalous graph that has little similarity with other graphs. This method was evaluated with actual traffic data, and anomalous graphs in which new clusters appeared were detected.