Network traffic analysis through statistical signal processing methods.

摘要

In this thesis, we address three major issues in analyzing network traffic using statistical signal processing methods:;Detect periodic behavior in network traffic. We develop an efficient, robust, multivariate approach method to detect periodic behavior in network traffic. The method is based on evaluating the periodogram of several count-feature sequences of the traffic trace and testing the significance of the peak of each periodogram.;Botnet command and control (C2) communication channels traffic. In many botnet variants, bots periodically exchange code and updates. We detect bots by detecting the periodic behavior of their C2 traffic. We use SLINGbot to implement two variants of botnets, TinyP2P and IRC, and show that C2 traffic of both exhibits periodic behavior. We add background and random noise traffic to C2 traffic to test the performance of the method. We find that address count sequences are more robust than to background traffic since the number of hosts that a given host communicates with during a certain time window is relatively small, hence its effect on the address count is small. We show that the methods performance increases with the increase of the duty cycle and/or the length of the observed traffic, and decreases with the decrease of the period length. Finally, we compare the periodic behavior of C2 traffic to the periodic behavior of E-mail traffic and explain that they can be easily distinguished because E-mail communication traffic uses well known port numbers.;Network traffic control and data planes. We decompose enterprise LAN TCP traffic into control and data planes. We use the control plane traffic as a surrogate for the whole combined traffic to increase the efficiency and scalability of network traffic analysis. We show that the two traffic groups have similar behavior through visual plots and multivariate statistical analysis. We compare the two traffic groups using the cross-correlation function and show that dissimilarity between them is an indication of abnormal behavior. We also study the Long-Range Dependence (LRD) behavior of the two groups based on the traffic's direction and find that this allows us to focus on smaller segments of the traffic.