MalSpot: Multi2 Malicious Network Behavior Patterns Analysis

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8443)


What are the patterns that typical network attackers exhibit? For a given malicious network behaviors, are its attacks spread uniformly over time? In this work, we develop MalSpot multi-resolution and multi-linear (Multi2) network analysis system in order to discover such malicious patterns, so that we can use them later for attack detection, when attacks are concurrent with legitimate traffic. We designed and deployed MalSpot which employs multi-linear analysis with different time resolutions, running on top of MapReduce (Hadoop), and we identify patterns across attackers, attacked institutions and variation of time scales. We collect over a terabyte of proven malicious traces (along with benign ones), from the Taiwanese government security operation center (G-SOC) , during the entire year of 2012. We showcase the effectiveness of MalSpot by discovering interesting patterns and anomalies on this enormous dataset. We observed static and time-evolving patterns, that a vast majority of the known malicious behavior seem to follow.


multi-resolution tensor anmoaly detection multi-linear uncorrelated levels 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Dainotti, A.: Analysis of a “/0” stealth scan from a botnet. In: IMC 2012 (2012)Google Scholar
  2. 2.
    Sun, J., Papadimitriou, S., Yu, P.S.: Window-based tensor analysis on high-dimensional and multi-aspect streams. In: ICDM, pp. 1076–1080 (2006)Google Scholar
  3. 3.
    Maruhashi, K., Guo, F., Faloutsos, C.: Multiaspectforensics: Pattern mining on large-scale heterogeneous networks with tensor analysis. In: ASONAM 2011 (2011)Google Scholar
  4. 4.
    Kishino, Y., Sakurai, Y., Yanagisawa, Y., Suyama, T., Naya, F.: Svd-based hierarchical data gathering for environmental monitoring. In: Proceedings of the 2013 ACM Conference on Pervasive and Ubiquitous Computing Adjunct Publication, UbiComp 2013 Adjunct, pp. 9–12. ACM, New York (2013)CrossRefGoogle Scholar
  5. 5.
    Kolda, T.G., Bader, B.W.: Tensor decompositions and applications. SIAM Review 51(3), 455–500 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  6. 6.
    Kolda, T., Sun, J.: Scalable tensor decompositions for multi-aspect data mining. In: ICDM (2008)Google Scholar
  7. 7.
    Koutra, D., Papalexakis, E.E., Faloutsos, C.: Tensorsplat: Spotting latent anomalies in time. In: 2012 16th Panhellenic Conference on Informatics (PCI), pp. 144–149. IEEE (2012)Google Scholar
  8. 8.
    Chen, L.-M., Chen, M.-C., Liao, W., Sun, Y.S.: A scalable network forensics mechanism for stealthy self-propagating attacks. Computer Communications (2013)Google Scholar
  9. 9.
    Lin, J., Vlachos, M., Keogh, E., Gunopulos, D.: Iterative incremental clustering of time series. In: Bertino, E., Christodoulakis, S., Plexousakis, D., Christophides, V., Koubarakis, M., Böhm, K. (eds.) EDBT 2004. LNCS, vol. 2992, pp. 106–122. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  10. 10.
    Matsubara, Y., Sakurai, Y., Faloutsos, C., Iwata, T., Yoshikawa, M.: Fast mining and forecasting of complex time-stamped events. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2012, pp. 271–279. ACM, New York (2012)Google Scholar
  11. 11.
    Papadimitriou, S., Yu, P.: Optimal multi-scale patterns in time series streams. In: Proceedings of the 2006 ACM SIGMOD International Conference on Management of Data, pp. 647–658. ACM, New York (2006)CrossRefGoogle Scholar
  12. 12.
    Papalexakis, E.E., Faloutsos, C., Sidiropoulos, N.D.: ParCube: Sparse parallelizable tensor decompositions. In: Flach, P.A., De Bie, T., Cristianini, N. (eds.) ECML PKDD 2012, Part I. LNCS, vol. 7523, pp. 521–536. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  13. 13.
    Kang, U., Papalexakis, E., Harpale, A., Faloutsos, C.: Gigatensor: scaling tensor analysis up by 100 times - algorithms and discoveries. In: Proceedings of the 18th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2012, pp. 316–324. ACM, New York (2012)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Institute for Information IndustryTaipeiTaiwan
  2. 2.Cargegie Mellon UniversityPittsburghUSA

Personalised recommendations