NECO: A Graph-Based Approach to Traffic Monitoring and Application Classification

NECO：基于图的流量监控和应用分类方法

• 批准号: 1316446
• 负责人: Michalis Faloutsos
• 金额: $ 1.88万
• 依托单位: University of New Mexico
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-12-31 至 2013-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1316446&HistoricalAwards=false
• 关键词: NECO; Graph; Based; Approach; Traffic

NECO: A Graph-Based Approach to Traffic Monitoring and Application ClassificationNETS NECO proposal 0832069Michalis Faloutsos (UCR) The fundamental problem that motivates this work is the need to detect and classify emerging and undesired applications in a network, such as a large ISP, or an enterprise network. The undesired applications can refer to Peer-To-Peer (P2P) protocols, which can dominate network resources, but also include malware such as intrusions and worms. This proposal addresses the following tightly related problems in this area of research: (a) monitoring and visualizing network traffic, (b) identifying applications, and (c) detecting anomalies.Monitoring the traffic and detecting unwanted applications is far from trivial. The authors of controversial applications often obfuscate their traffic to make them very hard to detect by using encryption or ever-changing behavior. Thus, there is a need for an approach that has the following properties: (a) it is easy to use with few and intuitive parameters, (b) it can operate even when packet payload is unavailable, and (c) it does not rely on a priori knowledge of the application specification, such as port numbers. Despite the significant number of previous efforts, most previous work fails to meet one of these three constraints.The proposal follows a more fundamental behavioral approach, where the detector looks for behavior patterns of the application that are both intrinsic to the application and distinct from other traffic. By identifying intrinsic behaviors, it becomes difficult for application writers to disguise their applications without defeating the very purpose of the application. The key contribution of this proposal is that it demonstrates the power of a behavioral or graph-based approach to network monitoring. Specifically, the proposal fully explores the use of Traffic Dispersion Graphs or TDGs, which capture the communication pattern in a network, namely, who talks to whom. TDGs capture the ``social" interaction of the network as a whole, which leads to a directed graph; each node is an IP address, and each edge represents an interaction between two nodes. The proposal shows that there is a wealth of information embedded in a TDG, which the other monitoring and application classification methods simply cannot capture.Broader Impact: This proposal will make enterprise and ISP networks more reliable and safer by providing the basis for a new generation of monitoring and security tools. Service disruptions and malware cost billions of dollars per year to any industry with significant IT infrastructure. At the same time, the Internet has become the battleground of multimillion dollar wars: between industries (content providers versus ISPs on network neutrality) and between the entertainment industry and users (the peer-to-peer saga). The proposal will provide the tools (e.g. application classification) that will play an important role in deciding the future of the network. Educational Goals: The PI will develop a cross-disciplinary educational program by bringing together networking, security, graph-mining, and social networks research. In addition, the PIs will develop programs to: (a) encourage the early involvement of both undergraduate and graduate students in research and teaching, and (b) increase the participation of minorities in higher education in engineering.

NECO：基于图的流量监控和应用程序分类方法NETS NECO提案0832069 Michalis Faloutsos（UCR）推动这项工作的根本问题是需要检测和分类网络（如大型ISP或企业网络）中出现的和不需要的应用程序。不期望的应用可以指对等（P2P）协议，其可以支配网络资源，但也包括恶意软件，诸如入侵和蠕虫。 该提案解决了该研究领域中以下密切相关的问题：（a）监视和可视化网络流量，（B）识别应用程序，以及（c）检测异常。有争议的应用程序的作者经常混淆他们的流量，使他们很难通过使用加密或不断变化的行为来检测。 因此，需要一种具有以下特性的方法：（a）易于使用很少且直观的参数，（B）即使在分组有效载荷不可用时也可以操作，以及（c）不依赖于应用规范的先验知识，例如端口号。尽管大量的先前的努力，大多数先前的工作未能满足这三个constrain.The建议遵循一个更基本的行为的方法，其中检测器寻找的应用程序的行为模式，既固有的应用程序和其他流量不同。通过识别内在行为，应用程序编写者很难在不破坏应用程序的目的的情况下伪装他们的应用程序。该提案的主要贡献在于，它展示了行为或基于图的网络监控方法的强大功能。具体而言，该提案充分探索了流量分散图或TDG的使用，它捕获了网络中的通信模式，即谁与谁交谈。TDG将网络的“社会”交互作为一个整体来捕捉，这导致了一个有向图;每个节点是一个IP地址，每条边代表两个节点之间的交互。该提案表明，有丰富的信息嵌入在一个TDG，这是其他监控和应用程序分类方法根本无法捕捉。更广泛的影响：该提案将使企业和ISP网络更可靠和更安全的基础上，提供了新一代的监控和安全工具。 服务中断和恶意软件每年给任何拥有重要IT基础设施的行业带来数十亿美元的损失。与此同时，互联网已经成为数百万美元战争的战场：行业之间（内容提供商与网络中立性的ISP）以及娱乐行业与用户之间（点对点佐贺）。该提案将提供在决定网络未来方面发挥重要作用的工具（例如应用程序分类）。教育目标：PI将开发一个跨学科的教育计划，将网络，安全，图形挖掘和社交网络研究结合在一起。此外，PI将制定方案：（a）鼓励本科生和研究生尽早参与研究和教学，（B）增加少数民族在工程高等教育中的参与。