그래프 기반의 비정상 네트워크 트래픽 탐지
Graph-based Detection of Anomalous Network Traffic
- 주제(키워드) Anomalous Traffic Detection , Network Monitoring and Analysis , Botnet Detection , DDoS Attacks , Traffic Dispersion Graphs , Network Security
- 발행기관 포항공과대학교 일반대학원
- 지도교수 홍원기
- 발행년도 2012
- 학위수여년월 2012. 8
- 학위명 석사
- 학과 및 전공 일반대학원 정보전자융합공학부
- 원문페이지 52
- 실제URI http://www.dcollection.net/handler/postech/000001388508
- 본문언어 영어
초록/요약
In recent years, network traffic anomaly detection has become an important area for both academic research and commercial applications. Abnormalities occur in the network traffic caused by cyber-attacks such as distributed denial of services (DDoS), spam mail, Internet worms and scanning attacks. Network operators should detect and mitigate the abnormal traffic to provide safe and stable network services. In this thesis, we propose a novel approach for detecting anomalous network traffic in a time series. The proposed method is based on graph theory concepts such as degree distribution, degree assortativity, maximum degree, and dK-2 distance. In our approach, we use traffic dispersion graphs (TDGs) to model and analyze communication patterns in network traffic over time. We focus on communication structural properties of TDGs of network traffic. By analyzing differences of TDG graphs in time series, the method is able to detect low-intensity anomalous network behaviors which change the structural properties of a network, such as Botnet command and control communications between bots (malware-infected hosts), which cannot be identified by conventional volume-based anomaly detection techniques. In this thesis, we also introduce a method for identifying attack patterns in anomalous traffic. Finally, we evaluate our approach with the 1999 DARPA intrusion detection dataset, a network trace from POSTECH on July 2009, the DDoS CAIDA trace, and network traffic generated from real bots in virtual machines of a honeynet. We also implement a real-time anomaly detection system by using our approach, and validate the ability of the system by generating TCP port scanning traffic.
more목차
1 Introduction 1
2 Related Work 4
2.1 Statistic-based Anomaly Detection 4
2.2 Machine Learning based Anomaly Detection 5
2.3 Graph-based Anomaly Detection 6
3 Graph-based Network Traffic Analysis 9
3.1 Network Traffic Modeling 9
3.2 Graph Metrics 10
3.2.1 Static Metrics 11
3.2.1.1 Node degree 11
3.2.1.2 Vino, Vin, Vout 11
3.2.1.3 Maximum degree (Kmax) 12
3.2.1.4 Degree Assortativity 12
3.2.1.5 Entropy of the degree distribution 13
3.2.2 Dynamic Metrics 13
3.2.2.1 Graph edit distance 13
3.2.2.2 dK-2 distance metric 13
3.3 Graph Matching 14
4 Anomaly Detection and Attack Identification 16
4.1 Anomaly Detection 16
4.2 Attack Identification 21
4.2.1 Attack pattern 21
4.2.2 Attack detection 23
5 Validation 25
5.1 The 1999 DARPA/MIT Lincoln Intrusion Detection Dataset. 25
5.2 POSTECH traces on July, 2009. 29
5.3 Synthesized Traffic Dataset 34
5.4 Real-time Anomaly Detection System 37
5.4.1 Flow Generation 39
5.4.2 Flow Store 40
5.4.3 TDGs generation 40
5.4.4 Graph metrics analysis 40
5.4.5 Anomaly classification 40
5.4.6 Anomaly notification 41
5.4.7 User interfaces 41
5.4.8 Real-time Anomaly Detection System Testing 43
6 Conclusions and Future Work 44
6.1 Thesis Contributions 44
6.2 Future Work 44
References 46