NECO: A Graph-Based Approach to Traffic Monitoring and Application Classification

NECO：基于图的流量监控和应用分类方法

• 批准号: 0832069
• 负责人: Michalis Faloutsos
• 金额: $ 25万
• 依托单位: University of California-Riverside
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2008
• 资助国家: 美国
• 起止时间: 2008-09-01 至 2013-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=0832069&HistoricalAwards=false
• 关键词: NECO; Graph; Based; Approach; Traffic

NECO: A Graph-Based Approach to Traffic Monitoring and Application ClassificationNETS NECO proposal 0832069Michalis Faloutsos (UCR) The fundamental problem that motivates this work is the need to detect and classify emerging and undesired applications in a network, such as a large ISP, or an enterprise network. The undesired applications can refer to Peer-To-Peer (P2P) protocols, which can dominate network resources, but also include malware such as intrusions and worms. This proposal addresses the following tightly related problems in this area of research: (a) monitoring and visualizing network traffic, (b) identifying applications, and (c) detecting anomalies.Monitoring the traffic and detecting unwanted applications is far from trivial. The authors of controversial applications often obfuscate their traffic to make them very hard to detect by using encryption or ever-changing behavior. Thus, there is a need for an approach that has the following properties: (a) it is easy to use with few and intuitive parameters, (b) it can operate even when packet payload is unavailable, and (c) it does not rely on a priori knowledge of the application specification, such as port numbers. Despite the significant number of previous efforts, most previous work fails to meet one of these three constraints.The proposal follows a more fundamental behavioral approach, where the detector looks for behavior patterns of the application that are both intrinsic to the application and distinct from other traffic. By identifying intrinsic behaviors, it becomes difficult for application writers to disguise their applications without defeating the very purpose of the application. The key contribution of this proposal is that it demonstrates the power of a behavioral or graph-based approach to network monitoring. Specifically, the proposal fully explores the use of Traffic Dispersion Graphs or TDGs, which capture the communication pattern in a network, namely, who talks to whom. TDGs capture the ``social" interaction of the network as a whole, which leads to a directed graph; each node is an IP address, and each edge represents an interaction between two nodes. The proposal shows that there is a wealth of information embedded in a TDG, which the other monitoring and application classification methods simply cannot capture.Broader Impact: This proposal will make enterprise and ISP networks more reliable and safer by providing the basis for a new generation of monitoring and security tools. Service disruptions and malware cost billions of dollars per year to any industry with significant IT infrastructure. At the same time, the Internet has become the battleground of multimillion dollar wars: between industries (content providers versus ISPs on network neutrality) and between the entertainment industry and users (the peer-to-peer saga). The proposal will provide the tools (e.g. application classification) that will play an important role in deciding the future of the network. Educational Goals: The PI will develop a cross-disciplinary educational program by bringing together networking, security, graph-mining, and social networks research. In addition, the PIs will develop programs to: (a) encourage the early involvement of both undergraduate and graduate students in research and teaching, and (b) increase the participation of minorities in higher education in engineering.

NECO：一种基于图的流量监控和应用分类方法NECO提案0832069Michalis Faloutsos （UCR）激发这项工作的根本问题是需要检测和分类网络中出现的和不需要的应用，例如大型ISP或企业网络。不受欢迎的应用程序可以参考点对点（P2P）协议，它可以控制网络资源，但也包括恶意软件，如入侵和蠕虫。本提案解决了该研究领域中以下密切相关的问题：(a)监控和可视化网络流量，(b)识别应用程序，(c)检测异常。监控流量和检测不需要的应用程序绝非易事。有争议的应用程序的作者经常通过使用加密或不断变化的行为来混淆它们的流量，使它们很难被检测到。因此，需要一种具有以下属性的方法：(a)使用简单且直观的参数，(b)即使在包有效载荷不可用的情况下也可以操作，(c)它不依赖于应用程序规范的先验知识，例如端口号。尽管之前做了大量的努力，但大多数以前的工作都不能满足这三个限制之一。该建议遵循更基本的行为方法，其中检测器查找应用程序的行为模式，这些模式既是应用程序固有的，又是与其他流量不同的。通过识别内在行为，应用程序编写者很难在不违背应用程序真正目的的情况下伪装他们的应用程序。这个建议的关键贡献在于它展示了行为或基于图形的网络监控方法的强大功能。具体而言，该提案充分探索了流量分散图（tdg）的使用，它捕获了网络中的通信模式，即谁与谁交谈。tdg捕获了整个网络的“社交”互动，这导致了一个有向图；每个节点是一个IP地址，每条边表示两个节点之间的交互。该建议表明，在TDG中嵌入了丰富的信息，这些信息是其他监控和应用分类方法根本无法捕获的。更广泛的影响：该提案将通过为新一代监控和安全工具提供基础，使企业和ISP网络更加可靠和安全。服务中断和恶意软件每年给任何拥有重要IT基础设施的行业造成数十亿美元的损失。与此同时，互联网已经成为数百万美元战争的战场：行业之间（内容提供商与互联网服务提供商在网络中立性上），娱乐行业与用户之间（点对点传奇）。该提案将提供工具（例如应用程序分类），这些工具将在决定网络的未来方面发挥重要作用。教育目标：PI将通过将网络、安全、图形挖掘和社会网络研究结合起来，开发一个跨学科的教育计划。此外，pi将制定计划：(a)鼓励本科生和研究生尽早参与研究和教学，(b)增加少数民族在高等工程教育中的参与。