Advertisement

Discovering Significant Co-Occurrences to Characterize Network Behaviors

  • Kristine Arthur-Durett
  • Thomas E. CarrollEmail author
  • Satish Chikkagoudar
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10904)

Abstract

A key aspect of computer network defense and operations is the characterization of network behaviors. Several of these behaviors are a result of indirect interactions between various networked entities and are temporal in nature. Modeling them requires non-trivial and scalable approaches. We introduce a novel approach for characterizing network behaviors using significant co-occurrence discovery. A significant co-occurrence is a robust concurrence or coincidence of events or activities observed over a period of time. We formulate a network problem in the context of co-occurrence detection and propose an approach to detect co-occurrences in network flow information. The problem is a generalization of problems that are encountered in the areas of dependency discovery and related activity identification. Moreover, we define a set of metrics to determine robust characteristics of these co-occurrences. We demonstrate the approach, exercising it first on a simulated network trace, and second on a publicly-available anonymized network trace from CAIDA. We show that co-occurrences can identify interesting relationships and that the proposed algorithm can be an effective tool in network flow analysis.

Keywords

Cyber situation awareness Significant co-occurrence detection Temporal relationship discovery Robust correlation 

Notes

Acknowledgment

Portions of the research were funded by PNNL’s Asymmetric Resilient Cybersecurity (ARC) Laboratory Research & Development Initiative. This work was performed while Satish Chikkagoudar was at Pacific Northwest National Laboratory. The views expressed in this paper are the opinions of the Authors and do not represent official positions of the Pacific Northwest National Laboratory, the Department of the Navy, or the Department of Energy.

References

  1. 1.
    Bahl, P., Chandra, R., Greenberg, A., Kandula, S., Maltz, D.A., Zhang, M.: Towards highly reliable enterprise network services via inference of multi-level dependences. In: Proceedings of the ACM SIGCOMM Conference on Data Communications (SIGCOMM), pp. 13–24 (2007)CrossRefGoogle Scholar
  2. 2.
    Box, G.G.P., Jenkins, G.M., Reinsel, G.C.: Time Series Analysis: Forecasting and Control, 4th edn. Wiley, Hoboken (2008)CrossRefGoogle Scholar
  3. 3.
    Brockwell, P.J., Davis, R.A.: Time Series: Theory and Methods, 2nd edn. Springer, Heidelberg (1991).  https://doi.org/10.1007/978-1-4899-0004-3CrossRefzbMATHGoogle Scholar
  4. 4.
    Bruillard, P., Nowak, K., Purvine, E.: Anomaly detection using persistent homology. In: Proceedings of the Cybersecurity Symposium (CYBERSEC). IEEE (2016)Google Scholar
  5. 5.
    CAIDA: The CAIDA Anonymized Internet Traces 2016 Dataset (2016). http://data.caida.org/datasets/passive-2016/README-2016.txt. Accessed 29 Mar 2016
  6. 6.
    Carroll, T.E., Chikkagoudar, S., Arthur-Durett, K.: Impact of network activity levels on the performance of passive network service dependency discovery. In: Proceedings of the Military Communications Conference (MILCOM), pp. 1341–1347. IEEE (2015)Google Scholar
  7. 7.
    Carroll, T.E., Chikkagoudar, S., Arthur-Durett, K.M., Thomas, D.G.: Automating network node behavior characterization by mining communication patterns. In: 2017 IEEE International Symposium on Technologies for Homeland Security (HST), pp. 1–7. IEEE (2017)Google Scholar
  8. 8.
    Chakravarty, S., Barbera, M.V., Portokalidis, G., Polychronakis, M., Keromytis, A.D.: On the effectiveness of traffic analysis against anonymity networks using flow records. In: Faloutsos, M., Kuzmanovic, A. (eds.) PAM 2014. LNCS, vol. 8362, pp. 247–257. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-04918-2_24CrossRefGoogle Scholar
  9. 9.
    Erdem, O., Ceyhan, E., Varli, Y.: A new correlation coefficient for bivariate time-series data. Phys. A: Stat. Mech. Appl. 414, 274–284 (2014)MathSciNetCrossRefGoogle Scholar
  10. 10.
    Hamming, R.W.: Numerical Methods for Scientist and Engineers, 2nd edn. Dover, New York (1986)zbMATHGoogle Scholar
  11. 11.
    Inacio, C.M., Trammell, B.: YAF: yet another flowmeter. In: Proceedings of the 24th Large Installation System Administration Conference (LISA 2010). USENIX (2010)Google Scholar
  12. 12.
    Jalali, L., Jain, R.: A framework for event co-occurrence detection in event streams. CoRR abs/1603.09012 (2016)Google Scholar
  13. 13.
    Joslyn, C., Cowley, W., Hogan, E., Olsen, B.: Discrete mathematical approaches to graph-based traffic analysis. In: Proceedings of the International Workshop on Engineering Cyber Security and Resilience (ECSaR) (2014)Google Scholar
  14. 14.
    Kohonen, T.: Self-Organization and Associative Memory, 2nd edn. Springer, Heidelberg (1987).  https://doi.org/10.1007/978-3-642-88163-3CrossRefzbMATHGoogle Scholar
  15. 15.
    Murdoch, S.J., Danezis, G.: Low-cost traffic analysis for Tor. In: Proceedings of the 2005 IEEE Symposium on Security and Privacy (S&P 2005), pp. 183–195. IEEE (2005)Google Scholar
  16. 16.
    Natarajan, A., Ning, P., Liu, Y., Jajodia, S., Hutchinson, S.E.: NSDMiner: automated discovery of network service dependencies. In: Proceedings of the 31st IEEE International Conference on Computer Communications (INFOCOMM 2012). IEEE (2012)Google Scholar
  17. 17.
    Oler, K., Choudhury, S.: Graph based role mining techniques for cyber security. In: Proceedings of the FloCon. CERT (2015)Google Scholar
  18. 18.
    Sayegh, N., Elhajj, I.H., Kayssi, A., Chehab, A.: SCADA intrusion detection system based on temporal behavior of frequent patterns. In: Proceedings of the 17th IEEE Mediterranean Electrotechnical Conference (MELECON). IEEE (2014)Google Scholar
  19. 19.
    Thomas, B.: Teamviewer authentication protocol (part 1 of 3), 31 January 2013. https://www.optiv.com/blog/teamviewer-authentication-protocol-part-1-of-3. Accessed 1 Jan 2018
  20. 20.
    Thomas, B.: Teamviewer authentication protocol (part 2 of 3), 31 January 2013. https://www.optiv.com/blog/teamviewer-authentication-protocol-part-2-of-3. Accessed 1 Jan 2018
  21. 21.
    Yin, J., Zhao, X., Tang, Y., Zhi, C., Chen, Z., Wu, Z.: CloudScout: a non-intrusive approach to service dependency discovery. IEEE Trans. Parallel Distrib. Syst. 28(5), 1271–1284 (2017)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Kristine Arthur-Durett
    • 1
  • Thomas E. Carroll
    • 1
    Email author
  • Satish Chikkagoudar
    • 2
  1. 1.Pacific Northwest National LaboratoryRichlandUSA
  2. 2.U.S. Naval Research LaboratoryWashington, DCUSA

Personalised recommendations