Soft Computing

, Volume 18, Issue 9, pp 1757–1770 | Cite as

Network security management with traffic pattern clustering

  • Tao-Wei Chiou
  • Shi-Chun Tsai
  • Yi-Bing Lin


Profiling network traffic pattern is an important approach for tackling network security problem. Based on campus network infrastructure, we propose a new method to identify randomly generated domain names and pinpoint the potential victim groups. We characterize normal domain names with the so called popular 2gram (2 consecutive characters in a word) to distinguish between active and nonexistent domain names. We also track the destination IPs of sources IPs and analyze their similarity of connection pattern to uncover potential anomalous group network behaviors. We apply the Hadoop technique to deal with the big data of network traffic and classify the clients as victims or not with the spectral clustering method.


Clustering Machine learning Jaccard similarity  ROC curve Denial of service Big data 


  1. Antonakakis M, Perdisci R, Dagon D, Lee W, Feamster N (2010) Building a dynamic reputation system for DNS. In: USENIX security symposium, pp 273–290Google Scholar
  2. Antonakakis M, Perdisci R, Nadji Y, Vasiloglou N, Abu-Nimeh S, Lee W, Dagon D (2012) From throw-away traffic to bots: detecting the rise of DGA-based malware. In: Proceedings of the 21st USENIX security symposiumGoogle Scholar
  3. Bilge L, Kirda E, Kruegel C, Balduzzi M (2011) Exposure: finding malicious domains using passive DNS analysis. In: 18th Annual network and distributed system security symposium,6–9 Feb 2011. San Diego, CA, USAGoogle Scholar
  4. Cheetham AH, Hazel JE (1969) Binary (presence–absence) similarity coefficients. J Paleontol 43(5): 1130–1136Google Scholar
  5. Choi H, Lee H (2012) Identifying botnets by capturing group activities in DNS traffic. Comput Netw, vol 56, pp 20–33Google Scholar
  6. Dietrich C, Rossow C, Freiling F, Bos H, van Steen M, Pohlmann N (2011) On botnets that use DNS for command and control. In: Seventh European conference on computer network defense (EC2ND), pp 9–16Google Scholar
  7. Fiore U, Palmieri F, Castiglione A, De Santis A (2013) Network anomaly detection with the restricted Boltzmann machine. Neurocomputing 122:13–23CrossRefGoogle Scholar
  8. Freund Y, Mason L (1999) The alternating decision tree learning algorithm. In: ICML, vol 99, pp 124–133Google Scholar
  9. Han J, Kamber M, Pei J (2012) Data mining, concepts and techniques, 3rd edn. Morgan Kaufmann, San FranciscozbMATHGoogle Scholar
  10. Horowitz E, Sahni S, Mehta DP (2006) Fundamentals of data structures in C++, 2nd edn. Silicon Press, SummitGoogle Scholar
  11. Kang U, Tsourakakis CE, Christos F (2009) PEGASUS: a peta-scale graph mining system—implementation and observations. In: IEEE ICDM 2009, pp 229–238Google Scholar
  12. Kiyomoto S, Fukushima K, Miyake Y (2012) Design of categorization mechanism for disaster-information-gathering system. J Wirel Mob Netw Ubiquitous Comput Dependable Appl 3(4):21–34Google Scholar
  13. Lutkebohle I (2013) English letter frequency counts: Mayzner revisitedGoogle Scholar
  14. Luxburg UV (2007) A tutorial on spectral clustering. Stat Comput 17(4): 395–416Google Scholar
  15. Palmieri F, Fiore U (2009) A nonlinear, recurrence-based approach to traffic classification. Comput Netw 53(6):761–773CrossRefzbMATHGoogle Scholar
  16. Porras P, Saidi H, Yegneswaran V (2009) Conficker analysis. SRI International, Menlo Park Google Scholar
  17. Stone-Gross B, Cova M, Cavallaro L, Gilbert B, Szydlowski M, Kemmerer R, Kruegel C, Vigna G (2009) Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM conference on computer and communication security. ACM, New York, pp 635–647Google Scholar
  18. Xu K, Wang F, Gu L (2011) Network-aware behavior clustering of internet end hosts. In: IEEE INFOCOM 2011, pp 2078–2086Google Scholar
  19. Yadav S, Reddy A, Ranjan S (2010) Detecting algorithmically generated malicious domain names, In: Proceedings of the 10th ACM SIGCOMM conference on internet measurement, pp 48–61Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  1. 1.Department of Computer ScienceNational Chiao Tung UniversityHsinchuTaiwan

Personalised recommendations