Behavioral Clustering of Non-Stationary IP Flow Record Data

Christian Hammerschmidt, Samuel Marchal, Radu State, Sicco Verwer

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

10 Citations (Scopus)

Abstract

Automated network traffic analysis using machine learning techniques plays an important role in managing networks and IT infrastructure. A key challenge to the correct and effective application of machine learning is dealing with non-stationary learning data sources and concept drift. Traffic evolves overtime due to new technology, software, services being used, changes in user behavior but also due to changes in network graphs like dynamic IP address assignment. In this paper, we present an automatic online method to detect changepointsin network traffic based on IP flow record analysis. This technique is used to segment an observed behavior into smaller consecutive behaviors differing one from another. The segmented traffic is used to learn small communication profile characterizing accurately the activities present between two observed changepoints. We validate our method using synthetic data and outlinea real-world application to botnet hosts behavior modeling.
Original languageEnglish
Title of host publication12th International Conference on Network and Service Management CNSM 2016
Place of PublicationPiscataway, NJ
PublisherIEEE
Pages253-257
Number of pages5
ISBN (Print)978-3-901882-85-2
DOIs
Publication statusPublished - Nov 2016
Event12th International Conference on Network and Service Management CNSM 2016 - Montreal, Canada
Duration: 31 Oct 20164 Nov 2016

Conference

Conference12th International Conference on Network and Service Management CNSM 2016
Country/TerritoryCanada
CityMontreal
Period31/10/164/11/16

Keywords

  • IP networks
  • Automata
  • Data models
  • Learning automata
  • Merging
  • Malware
  • Feature extraction

Fingerprint

Dive into the research topics of 'Behavioral Clustering of Non-Stationary IP Flow Record Data'. Together they form a unique fingerprint.

Cite this