Hangyu HU, Xuemeng ZHAI, Mingda WANG, Guangmin HU

Graph analysis of network flow connectivity behaviors

Graph-based approaches have been widely employed to facilitate in analyzing network flow connectivitybehaviors, which aim to understand the impacts and patterns of network events. However, existing approaches sufferfrom lack of connectivity-behavior information and loss of network event identification. In this paper, we propose networkflow connectivity graphs (NFCGs) to capture network flow behavior for modeling social behaviors from network entities.Given a set of flows, edges of a NFCG are generated by connecting pairwise hosts who communicate with each other.To preserve more information about network flows, we also embed node-ranking values and edge-weight vectors into theoriginal NFCG. After that, a network flow connectivity behavior analysis framework is present based on NFCGs. Theproposed framework consists of three modules: a graph simplification module based on diversified filtering rules, a graphfeature analysis module based on quantitative or semiquantitative analysis, and a graph structure analysis module basedon several graph mining methods. Furthermore, we evaluate our NFCG-based framework by using real network trafficdata. The results show that NFCGs and the proposed framework can not only achieve good performance on networkbehavior analysis but also exhibit excellent scalability for further algorithmic implementations.

PDF

___

[1] Gosak M, Markovič R, Dolenšek J, Rupnik MS, Marhl M, Stožer A, Perc M. Loosening the shackles of scientific disciplines with network science. Phys Life Rev 2018; 24: 162-167.
[2] Jalili M, Perc M. Information cascades in complex networks. J Complex Netw 2017; 5: 665-693.
[3] Xu K, Zhang ZL, Bhattacharyya S. Internet traffic behavior profiling for network security monitoring. IEEE/ACM Transactions on Networking 2008; 16: 1241-1252.
[4] Sharafuddin E, Jiang N, Jin Y, Zhang ZL. Know your enemy, know yourself: block-level network behavior profiling and tracking. In: IEEE 2010 Global Telecommunications Conference; 6–10 December 2010; Miami, FL, USA: IEEE. pp. 1-6.
[5] Fahad A, Tari Z, Khalil I, Habib I, Alnuweiri H. Toward an efficient and scalable feature selection approach for internet traffic classification. Computer Networks 2013; 57: 2040-57.
[6] Li B, Springer J, Bebis G, Gunes MH. A survey of network flow applications. J Netw Comp App 2013; 36: 567-581.
[7] Helbing D, Brockmann D, Chadefaux T, Donnay K, Blanke U, Woolley-Meza O, Moussaid M, Johansson A, Krause J, Schutte S et al. Saving human lives: what complexity science and information systems can contribute. J Stat Phys 2015; 158: 735-781.
[8] Boukhtouta A, Mokhov SA, Lakhdari NE, Debbabi M, Paquet J. Network malware classification comparison using DPI and flow packet headers. J Comp Viro Hack Tech 2016; 12: 69-100.
[9] Barford P, Kline J, Plonka D, Ron A. A signal analysis of network traffic anomalies. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement; 6–8 November 2002; Marseilles, France. New York, NY, USA: ACM. pp. 71-82.
[10] Nguyen TT, Armitage G. A survey of techniques for internet traffic classification using machine learning. IEEE Communications Surveys & Tutorials 2008; 10: 56-76.
[11] Zhou Y, Hu G. GNAED: A data mining framework for network-wide abnormal event detection in backbone networks. In: IEEE International Performance Computing and Communications Conference (IPCCC); 17–19 November 2011; Orlando, FL, USA: IEEE. pp. 1-2.
[12] Freeman LC, Borgatti SP, White DR. Centrality in valued graphs: a measure of betweenness based on network flow. Social Networks 1991; 13: 141-154.
[13] Yan Q, Zheng Y, Jiang T, Lou W, Hou YT. PeerClean: Unveiling peer-to-peer botnets through dynamic group behavior analysis. In: Computer Communications (INFOCOM); 26 April–1 May 2015; Hong Kong, China. pp. 316-324.
[14] Akoglu L, Tong H, Koutra D. Graph based anomaly detection and description: a survey. Data Mining and Knowledge Discovery 2015; 29: 626-688.
[15] Karagiannis T, Papagiannaki K, Faloutsos M. BLINC: Multilevel traffic classification in the dark. ACM SIGCOMM Computer Communication Review 2005; 35: 229-240.
[16] Iliofotou M, Pappu P, Faloutsos M, Mitzenmacher M, Singh S, Varghese G. Network monitoring using traffic dispersion graphs (TDGs). In: Proceedings of the 7th ACM SIGCOMM conference on Internet Measurement; 23–26 October 2007; San Diego, CA, USA. New York, NY, USA: ACM. pp. 315-320.
[17] Jin Y, Sharafuddin E, Zhang ZL. Unveiling core network-wide communication patterns through application traffic activity graph decomposition. ACM SIGMETRICS Performance Evaluation Review 2009; 37: 49-60.
[18] Asai H, Fukuda K, Abry P, Borgnat P, Esaki H. Network application profiling with traffic causality graphs. International Journal of Network Management 2014; 24: 289-303.
[19] Hang H, Wei X, Faloutsos M, Eliassi-Rad T. Entelecheia: Detecting p2p botnets in their waiting stage. In: IFIP Networking 2013 Conference; 22–24 May 2013; Brooklyn, NY, USA. pp. 1-9.
[20] Martinčić-Ipšić S, Močibob E, Perc M. Link prediction on Twitter. PLoS ONE 2017; 12: e0181079.
[21] Jalili M, Orouskhani Y, Asgari M, Alipourfard N, Perc M. Link prediction in multiplex online social networks. R Soc Open Sci 2017; 4: 160863.
[22] Xu K, Wang F, Gu L. Behavior analysis of internet traffic via bipartite graphs and one-mode projections. IEEE/ACM Transactions on Networking 2014; 22: 931-942.
[23] Liu L, Saha S, Torres R, Xu J, Tan P, Nucci A, Mellia M. Detecting malicious clients in ISP networks using http connectivity graph and flow information. In: Proceedings of the 2014 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining; 17–20 August 2014; Beijing, China. pp. 150-157.
[24] Sun J, Qu H, Chakrabarti D, Faloutsos C. Neighborhood formation and anomaly detection in bipartite graphs. In: Fifth IEEE International Conference on Data Mining; 27–30 November 2005; Houston, TX, USA. pp. 1-8.
[25] Lewis TG. Network Science: Theory and Applications. New York, NY, USA: John Wiley & Sons, 2011.
[26] Zhou Y, Hu G, Wu D. A data mining system for distributed abnormal event detection in backbone networks. Security and Communication Networks 2014; 7: 904-913.
[27] Ellson J, Gansner E, Koutsofios L, North SC, Woodhull G. Graphviz - open source graph drawing tools. Lect Notes Comp Sci 2001; 2265: 483-484.
[28] Jiang N, Cao J, Jin Y, Li LE, Zhang ZL. Identifying suspicious activities through dns failure graph analysis. In: 18th IEEE 2010 International Conference on Network Protocols (ICNP); 5–8 October 2010; Kyoto, Japan. New York, NY, USA: IEEE. pp. 144-153.
[29] Chen W, Liu Y, Guan Y. Cardinality change-based early detection of large-scale cyber-attacks. In: IEEE 2013 Proceedings INFOCOM; 14–19 April 2013; Turin, Italy. New York, NY, USA: IEEE. pp. 1788-1796.