Using Low-Rate Flow Periodicities for Anomaly Detection: Extended. Bartlett, G., Heidemann, J., & Papadopoulos, C. Technical Report ISI-TR-2009-661, USC/Information Sciences Institute, August, 2009. Paper abstract bibtex As desktops and servers become more complicated, they employ an increasing amount of automatic, non-user initiated communication. Such communication can be good (OS updates, RSS feed readers, and mail polling), bad (keyloggers, spyware, and botnet command-and-control), or ugly (adware or unauthorized peer-to-peer applications). Communication in these applications is often periodic but infrequent, perhaps every few minutes to few hours. This infrequent communication and the complexity of today's systems makes these applications difficult for users to detect and diagnose. We show that there are several classes of applications that show low-rate periodicity and demonstrate that they are widely deployed on public networks. In this paper we present a new approach to identify changes in low-rate periodic network traffic. We employ signal-processing techniques, using discrete wavelets implemented as a fully decomposed, iterated filter bank. This approach allows us to cover a large range of low-rate periodicities, from seconds to hours, and to identify approximate times when traffic changed. Network administrators and users can use our techniques for network- or self-surveillance. To measure the effectiveness of our approach, we show that it can detect changes in periodic behavior caused by events such as installation of keyloggers, an interruption in OS update checks, or the P2P application BitTorrent. We quantify the sensitivity of our approach, showing that we can find periodic traffic when it is at least 5–10% of overall traffic.
@TechReport{Bartlett09a,
author = "Genevieve Bartlett and John Heidemann and Christos Papadopoulos",
title = "Using Low-Rate Flow Periodicities for Anomaly
Detection: Extended",
institution = "USC/Information Sciences Institute",
year = 2009,
sortdate = "2009-08-01",
number = "ISI-TR-2009-661",
month = aug,
keywords = "low-rate periodic detection, wavelet, traffic",
project = "ant, lander, madcat",
jsubject = "spectral_network",
jlocation = "johnh: pafile",
url = "https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.html",
pdfurl = "https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.pdf",
otherurl = "ftp://ftp.isi.edu/isi-pubs/tr-661.pdf",
myorganization = "USC/Information Sciences Institute",
copyrightholder = "authors",
abstract = "As desktops and servers become more complicated,
they employ an increasing amount of automatic,
non-user initiated communication. Such
communication can be good (OS updates, RSS feed
readers, and mail polling), bad (keyloggers,
spyware, and botnet command-and-control), or ugly
(adware or unauthorized peer-to-peer applications).
Communication in these applications is often
periodic but infrequent, perhaps every few minutes
to few hours. This infrequent communication and the
complexity of today's systems makes these
applications difficult for users to detect and
diagnose. We show that there are several classes of
applications that show low-rate periodicity and
demonstrate that they are widely deployed on public
networks. In this paper we present a new approach
to identify changes in low-rate periodic network
traffic. We employ signal-processing techniques,
using discrete wavelets implemented as a fully
decomposed, iterated filter bank. This approach
allows us to cover a large range of low-rate
periodicities, from seconds to hours, and to
identify approximate times when traffic changed.
Network administrators and users can use our
techniques for network- or self-surveillance. To
measure the effectiveness of our approach, we show
that it can detect changes in periodic behavior
caused by events such as installation of keyloggers,
an interruption in OS update checks, or the P2P
application BitTorrent. We quantify the sensitivity
of our approach, showing that we can find periodic
traffic when it is at least 5--10\% of overall
traffic.",
}
Downloads: 0
{"_id":"9xyDFDQBs9XLcFzhs","bibbaseid":"bartlett-heidemann-papadopoulos-usinglowrateflowperiodicitiesforanomalydetectionextended-2009","author_short":["Bartlett, G.","Heidemann, J.","Papadopoulos, C."],"bibdata":{"bibtype":"techreport","type":"techreport","author":[{"firstnames":["Genevieve"],"propositions":[],"lastnames":["Bartlett"],"suffixes":[]},{"firstnames":["John"],"propositions":[],"lastnames":["Heidemann"],"suffixes":[]},{"firstnames":["Christos"],"propositions":[],"lastnames":["Papadopoulos"],"suffixes":[]}],"title":"Using Low-Rate Flow Periodicities for Anomaly Detection: Extended","institution":"USC/Information Sciences Institute","year":"2009","sortdate":"2009-08-01","number":"ISI-TR-2009-661","month":"August","keywords":"low-rate periodic detection, wavelet, traffic","project":"ant, lander, madcat","jsubject":"spectral_network","jlocation":"johnh: pafile","url":"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.html","pdfurl":"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.pdf","otherurl":"ftp://ftp.isi.edu/isi-pubs/tr-661.pdf","myorganization":"USC/Information Sciences Institute","copyrightholder":"authors","abstract":"As desktops and servers become more complicated, they employ an increasing amount of automatic, non-user initiated communication. Such communication can be good (OS updates, RSS feed readers, and mail polling), bad (keyloggers, spyware, and botnet command-and-control), or ugly (adware or unauthorized peer-to-peer applications). Communication in these applications is often periodic but infrequent, perhaps every few minutes to few hours. This infrequent communication and the complexity of today's systems makes these applications difficult for users to detect and diagnose. We show that there are several classes of applications that show low-rate periodicity and demonstrate that they are widely deployed on public networks. In this paper we present a new approach to identify changes in low-rate periodic network traffic. We employ signal-processing techniques, using discrete wavelets implemented as a fully decomposed, iterated filter bank. This approach allows us to cover a large range of low-rate periodicities, from seconds to hours, and to identify approximate times when traffic changed. Network administrators and users can use our techniques for network- or self-surveillance. To measure the effectiveness of our approach, we show that it can detect changes in periodic behavior caused by events such as installation of keyloggers, an interruption in OS update checks, or the P2P application BitTorrent. We quantify the sensitivity of our approach, showing that we can find periodic traffic when it is at least 5–10% of overall traffic.","bibtex":"@TechReport{Bartlett09a,\n\tauthor = \"Genevieve Bartlett and John Heidemann and Christos Papadopoulos\",\n\ttitle = \"Using Low-Rate Flow Periodicities for Anomaly\n Detection: Extended\",\n\tinstitution = \t\"USC/Information Sciences Institute\",\n\tyear = \t\t2009,\n\tsortdate = \t\t\"2009-08-01\", \n\tnumber =\t\"ISI-TR-2009-661\",\n\tmonth =\t\taug,\n\tkeywords =\t\"low-rate periodic detection, wavelet, traffic\",\n\tproject = \"ant, lander, madcat\",\n\tjsubject = \"spectral_network\",\n\tjlocation =\t\"johnh: pafile\",\n\turl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.html\",\n\tpdfurl =\t\t\"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.pdf\",\n\totherurl = \"ftp://ftp.isi.edu/isi-pubs/tr-661.pdf\",\n\tmyorganization =\t\"USC/Information Sciences Institute\",\n\tcopyrightholder = \"authors\",\n\tabstract = \"As desktops and servers become more complicated,\n they employ an increasing amount of automatic,\n non-user initiated communication. Such\n communication can be good (OS updates, RSS feed\n readers, and mail polling), bad (keyloggers,\n spyware, and botnet command-and-control), or ugly\n (adware or unauthorized peer-to-peer applications).\n Communication in these applications is often\n periodic but infrequent, perhaps every few minutes\n to few hours. This infrequent communication and the\n complexity of today's systems makes these\n applications difficult for users to detect and\n diagnose. We show that there are several classes of\n applications that show low-rate periodicity and\n demonstrate that they are widely deployed on public\n networks. In this paper we present a new approach\n to identify changes in low-rate periodic network\n traffic. We employ signal-processing techniques,\n using discrete wavelets implemented as a fully\n decomposed, iterated filter bank. This approach\n allows us to cover a large range of low-rate\n periodicities, from seconds to hours, and to\n identify approximate times when traffic changed.\n Network administrators and users can use our\n techniques for network- or self-surveillance. To\n measure the effectiveness of our approach, we show\n that it can detect changes in periodic behavior\n caused by events such as installation of keyloggers,\n an interruption in OS update checks, or the P2P\n application BitTorrent. We quantify the sensitivity\n of our approach, showing that we can find periodic\n traffic when it is at least 5--10\\% of overall\n traffic.\",\n}\n\n","author_short":["Bartlett, G.","Heidemann, J.","Papadopoulos, C."],"bibbaseid":"bartlett-heidemann-papadopoulos-usinglowrateflowperiodicitiesforanomalydetectionextended-2009","role":"author","urls":{"Paper":"https://ant.isi.edu/%7ejohnh/PAPERS/Bartlett09a.html"},"keyword":["low-rate periodic detection","wavelet","traffic"],"metadata":{"authorlinks":{}}},"bibtype":"techreport","biburl":"https://bibbase.org/f/dHevizJoWEhWowz8q/johnh-2023-2.bib","dataSources":["DTXTQhi8vCYSmtrPK","YLyu3mj3xsBeoqiHK","fLZcDgNSoSuatv6aX","fxEParwu2ZfurScPY","7nuQvtHTqKrLmgu99"],"keywords":["low-rate periodic detection","wavelet","traffic"],"search_terms":["using","low","rate","flow","periodicities","anomaly","detection","extended","bartlett","heidemann","papadopoulos"],"title":"Using Low-Rate Flow Periodicities for Anomaly Detection: Extended","year":2009}