[Back]

F. Iglesias Vazquez, T. Zseby:
"Time-activity footprints in IP traffic";
Computer Networks, 107 (2016), 1; 64 - 75.

This paper studies the temporal behavior of communication flows in the Internet. Characterization of flows by temporal patterns supports traffic classification and filtering for network management and network security in situations where full packet data is not accessible (e.g. obfuscated or encrypted traffic) or cannot be analyzed due to privacy concerns or resource limitations. In this paper we define a time activity feature vector that describes the temporal behavior of flows. Later, we use cluster analysis to capture the most common time activity patterns in real Internet traffic using traces from the MAWI dataset. We discovered a set of 7 time-activity footprints and show that 95.3% of the analyzed flows can be characterized based on such footprints, which represent different behaviors for the three main protocols (4 in TCP, 1 in ICMP and 2 in UDP). In addition, we found that the majority of the observed flows consisted of short, one-time bursts. An in-depth inspection revealed, besides some DNS traffic, the preponderance of a large number of scanning, probing, DoS attacks and backscatter traffic in the network. Flows transmitting meaningful data became outliers among short, one-time bursts of unwanted traffic.

communication networks, traffic characterization, time domain analysis, cluster analysis

http://dx.doi.org/10.1016/j.comnet.2016.03.012

http://www.sciencedirect.com/science/article/pii/S1389128616300767