NECO: A Graph-Based Approach to Traffic Monitoring and Application Classification

NECO：基于图的流量监控和应用分类方法

• 批准号: 1316446
• 负责人: Michalis Faloutsos
• 金额: $ 1.88万
• 依托单位: University of New Mexico
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2012
• 资助国家: 美国
• 起止时间: 2012-12-31 至 2013-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1316446&HistoricalAwards=false
• 关键词: NECO; Graph; Based; Approach; Traffic

NECO: A Graph-Based Approach to Traffic Monitoring and Application ClassificationNETS NECO proposal 0832069Michalis Faloutsos (UCR) The fundamental problem that motivates this work is the need to detect and classify emerging and undesired applications in a network, such as a large ISP, or an enterprise network. The undesired applications can refer to Peer-To-Peer (P2P) protocols, which can dominate network resources, but also include malware such as intrusions and worms. This proposal addresses the following tightly related problems in this area of research: (a) monitoring and visualizing network traffic, (b) identifying applications, and (c) detecting anomalies.Monitoring the traffic and detecting unwanted applications is far from trivial. The authors of controversial applications often obfuscate their traffic to make them very hard to detect by using encryption or ever-changing behavior. Thus, there is a need for an approach that has the following properties: (a) it is easy to use with few and intuitive parameters, (b) it can operate even when packet payload is unavailable, and (c) it does not rely on a priori knowledge of the application specification, such as port numbers. Despite the significant number of previous efforts, most previous work fails to meet one of these three constraints.The proposal follows a more fundamental behavioral approach, where the detector looks for behavior patterns of the application that are both intrinsic to the application and distinct from other traffic. By identifying intrinsic behaviors, it becomes difficult for application writers to disguise their applications without defeating the very purpose of the application. The key contribution of this proposal is that it demonstrates the power of a behavioral or graph-based approach to network monitoring. Specifically, the proposal fully explores the use of Traffic Dispersion Graphs or TDGs, which capture the communication pattern in a network, namely, who talks to whom. TDGs capture the ``social" interaction of the network as a whole, which leads to a directed graph; each node is an IP address, and each edge represents an interaction between two nodes. The proposal shows that there is a wealth of information embedded in a TDG, which the other monitoring and application classification methods simply cannot capture.Broader Impact: This proposal will make enterprise and ISP networks more reliable and safer by providing the basis for a new generation of monitoring and security tools. Service disruptions and malware cost billions of dollars per year to any industry with significant IT infrastructure. At the same time, the Internet has become the battleground of multimillion dollar wars: between industries (content providers versus ISPs on network neutrality) and between the entertainment industry and users (the peer-to-peer saga). The proposal will provide the tools (e.g. application classification) that will play an important role in deciding the future of the network. Educational Goals: The PI will develop a cross-disciplinary educational program by bringing together networking, security, graph-mining, and social networks research. In addition, the PIs will develop programs to: (a) encourage the early involvement of both undergraduate and graduate students in research and teaching, and (b) increase the participation of minorities in higher education in engineering.

NECO：一种基于图的流量监视和应用程序分类网络NECO建议的方法0832069Michalis Faloutsos（UCR）激发这项工作的基本问题是需要在网络中检测并对网络中的新兴和不良应用进行分类，例如大型ISP或一个企业网络。不需要的应用程序可以参考点对点（P2P）协议，该协议可以主导网络资源，还包括恶意软件，例如入侵和蠕虫。 该提案解决了该研究领域中以下紧密相关的问题：（a）监视和可视化网络流量，（b）识别应用程序，以及（c）检测异常。对流量进行监视并检测不需要的应用程序远非琐碎。有争议的应用程序的作者通常会混淆其流量，从而使它们难以通过使用加密或不断变化的行为来检测。 因此，需要一种具有以下属性的方法：（a）它易于与很少的直观参数一起使用，（b）即使无法使用数据包有效负载，也可以操作，并且（c）它不依赖于应用程序规范的先验知识，例如port编号。尽管以前的努力大量努力，但大多数先前的工作都无法满足这三个约束之一。该提案遵循一种更基本的行为方法，在该方法中，检测器寻找应用程序的行为模式，这些行为模式既固有地应用程序，又与其他流量截然不同。通过识别固有的行为，应用程序作者很难在不击败应用程序目的的情况下掩盖其应用程序。该提案的关键贡献是它展示了基于行为或基于图的网络监视方法的力量。具体而言，该提案充分探讨了交通分散图或TDG的使用，这些图形或TDG捕获了网络中的通信模式，即与谁交谈。 TDG捕获了整个网络的``社交互动''，这会导致一个有向图；每个节点都是IP地址，每个边缘代表两个节点之间的相互作用。该建议表明，嵌入在TDG中的大量信息，TDG中的丰富信息可以通过这些信息来捕获其他监控方法，并且可以捕获Enterpr sa and Preserive.boarders.boarderspose。新一代的监视和安全工具。在决定网络的未来时。教育目标：PI将通过将网络，安全性，挖掘和社交网络研究汇总在一起，开发跨学科的教育计划。此外，PI将开发以下计划：（a）鼓励本科生和研究生从事研究和教学的早期参与，以及（b）增加少数民族在高等教育中的参与。