Low-Rate, Flow-Level Periodicity Detection

Low-Rate, Flow-Level Periodicity Detection

Bartlett, Genevieve and Heidemann, John and Papadopoulos, Christos
USC/Information Sciences Institute

Genevieve Bartlett, John Heidemann and Christos Papadopoulos 2011. Low-Rate, Flow-Level Periodicity Detection. Proceedings of the 14th IEEE Global Internet Symposium (Shanghai, China, Apr. 2011), 804–809.

Abstract

As desktops and servers become more complicated, they employ an increasing amount of automatic, non-user initiated communication. Such communication can be good (OS updates, RSS feed readers, and mail polling), bad (keyloggers, spyware, and botnet command-and-control), or ugly (adware or unauthorized peer-to-peer applications). Communication in these applications is often regular, but with very long periods, ranging from minutes to hours. This infrequent communication and the complexity of today’s systems makes these applications difficult for users to detect and diagnose. In this paper we present a new approach to identify low-rate periodic network traffic and changes in such regular communication. We employ signal-processing techniques, using discrete wavelets implemented as a fully decomposed, iterated filter bank. This approach not only detects low-rate periodicities, but also identifies approximate times when traffic changed. We implement a self-surveillance application that externally identifies changes to a user’s machine, such as interruption of periodic software updates, or an installation of a keylogger.

Reference

@inproceedings{Bartlett11a,
  author = {Bartlett, Genevieve and Heidemann, John and Papadopoulos, Christos},
  title = {Low-Rate, Flow-Level Periodicity Detection},
  booktitle = {Proceedings of the 14th IEEE Global Internet Symposium},
  year = {2011},
  sortdate = {2011-04-01},
  pages = {804--809},
  address = {Shanghai, China},
  month = apr,
  publisher = {IEEE},
  location = {johnh: pafile},
  myorganization = {USC/Information Sciences Institute},
  copyrightholder = {IEEE},
  copyrightterms = {
  	Personal use of this material is permitted.  Permission from IEEE must
  	be obtained for all other uses, in any current or future media,
  	including reprinting/republishing this material for advertising or
  	promotional purposes, creating new collective works, for resale or
  	redistribution to servers or lists, or reuse of any copyrighted
  	component of this work in other works.
    },
  keywords = {low-rate periodic detection, wavelet, traffic},
  project = {ant, lacrend, lander},
  jsubject = {spectral_network},
  url = {http://www.isi.edu/%7ejohnh/PAPERS/Bartlett11a.html},
  pdfurl = {http://www.isi.edu/%7ejohnh/PAPERS/Bartlett11a.pdf},
  doi = {http://dx.doi.org/10.1109/INFCOMW.2011.5928922}
}

Copyright

Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.