NECO: A Graph-Based Approach to Traffic Monitoring and Application Classification

NECO：基于图的流量监控和应用分类方法

• 批准号: 0832069
• 负责人: Michalis Faloutsos
• 金额: $ 25万
• 依托单位: University of California-Riverside
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-09-01 至 2013-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0832069&HistoricalAwards=false
• 关键词: NECO; Graph; Based; Approach; Traffic

NECO: A Graph-Based Approach to Traffic Monitoring and Application ClassificationNETS NECO proposal 0832069Michalis Faloutsos (UCR) The fundamental problem that motivates this work is the need to detect and classify emerging and undesired applications in a network, such as a large ISP, or an enterprise network. The undesired applications can refer to Peer-To-Peer (P2P) protocols, which can dominate network resources, but also include malware such as intrusions and worms. This proposal addresses the following tightly related problems in this area of research: (a) monitoring and visualizing network traffic, (b) identifying applications, and (c) detecting anomalies.Monitoring the traffic and detecting unwanted applications is far from trivial. The authors of controversial applications often obfuscate their traffic to make them very hard to detect by using encryption or ever-changing behavior. Thus, there is a need for an approach that has the following properties: (a) it is easy to use with few and intuitive parameters, (b) it can operate even when packet payload is unavailable, and (c) it does not rely on a priori knowledge of the application specification, such as port numbers. Despite the significant number of previous efforts, most previous work fails to meet one of these three constraints.The proposal follows a more fundamental behavioral approach, where the detector looks for behavior patterns of the application that are both intrinsic to the application and distinct from other traffic. By identifying intrinsic behaviors, it becomes difficult for application writers to disguise their applications without defeating the very purpose of the application. The key contribution of this proposal is that it demonstrates the power of a behavioral or graph-based approach to network monitoring. Specifically, the proposal fully explores the use of Traffic Dispersion Graphs or TDGs, which capture the communication pattern in a network, namely, who talks to whom. TDGs capture the ``social" interaction of the network as a whole, which leads to a directed graph; each node is an IP address, and each edge represents an interaction between two nodes. The proposal shows that there is a wealth of information embedded in a TDG, which the other monitoring and application classification methods simply cannot capture.Broader Impact: This proposal will make enterprise and ISP networks more reliable and safer by providing the basis for a new generation of monitoring and security tools. Service disruptions and malware cost billions of dollars per year to any industry with significant IT infrastructure. At the same time, the Internet has become the battleground of multimillion dollar wars: between industries (content providers versus ISPs on network neutrality) and between the entertainment industry and users (the peer-to-peer saga). The proposal will provide the tools (e.g. application classification) that will play an important role in deciding the future of the network. Educational Goals: The PI will develop a cross-disciplinary educational program by bringing together networking, security, graph-mining, and social networks research. In addition, the PIs will develop programs to: (a) encourage the early involvement of both undergraduate and graduate students in research and teaching, and (b) increase the participation of minorities in higher education in engineering.

NECO：一种基于图形的流量监控和应用分类方法NETS NECO提案0832069 Michalis Faloutsos(UCR)推动这项工作的根本问题是需要检测和分类网络中出现的和不需要的应用程序，例如大型互联网服务提供商或企业网络。不受欢迎的应用程序可能指的是对等(P2P)协议，它可以控制网络资源，但也包括恶意软件，如入侵和蠕虫。该建议解决了这一研究领域中的以下密切相关的问题：(A)监控和可视化网络流量，(B)识别应用程序，以及(C)检测异常。监控流量和检测不需要的应用程序绝非易事。有争议的应用程序的作者经常通过使用加密或不断变化的行为来混淆他们的流量，使他们很难被检测到。因此，需要一种具有以下属性的方法：(A)其易于使用且参数少且直观，(B)其即使在分组有效载荷不可用时也可操作，以及(C)其不依赖于诸如端口号之类的应用规范的先验知识。尽管之前做了大量的工作，但大多数以前的工作都未能满足这三个限制中的一个。该建议遵循更基本的行为方法，即检测器寻找应用程序的行为模式，这些模式既是应用程序固有的，又不同于其他流量。通过识别内部行为，应用程序编写者很难在不违背应用程序真正目的的情况下伪装他们的应用程序。这一建议的主要贡献在于，它展示了行为或基于图形的方法在网络监控中的威力。具体地说，该提案充分探索了流量分散图(TDG)的使用，该图捕捉了网络中的通信模式，即谁与谁交谈。TDGs捕获整个网络的“社交”交互，从而形成有向图；每个节点是一个IP地址，每条边代表两个节点之间的交互。该提案显示，TDG中嵌入了其他监控和应用分类方法无法获取的丰富信息。广泛影响：该提案将为新一代监控和安全工具提供基础，从而使企业和运营商网络更加可靠和安全。对于任何拥有重要IT基础设施的行业来说，服务中断和恶意软件每年都会造成数十亿美元的损失。与此同时，互联网已经成为数百万美元战争的战场：行业之间(内容提供商与互联网服务提供商之间关于网络中立性的斗争)，以及娱乐业与用户之间(点对点传奇)。该提案将提供工具(例如应用分类)，这些工具将在决定网络的未来方面发挥重要作用。教育目标：PI将通过将网络、安全、图表挖掘和社交网络研究结合在一起，开发一个跨学科的教育项目。此外，私人投资机构将制定计划，以：(A)鼓励本科生和研究生及早参与研究和教学，以及(B)增加少数族裔对高等工程教育的参与。