TY - GEN
T1 - Know your enemy, know yourself
T2 - 53rd IEEE Global Communications Conference, GLOBECOM 2010
AU - Sharafuddin, Esam
AU - Jiang, Nan
AU - Jin, Yu
AU - Zhang, Zhi-Li
PY - 2010/12/1
Y1 - 2010/12/1
N2 - Gaining a better knowledge of one's own network is crucial to effectively manage and secure today's large, diverse campus and enterprise networks. Because of the large number of IP addresses (or hosts) and the prevalent use of dynamic IP addresses, profiling and tracking individual hosts within such large networks may not be effective nor scalable. In this paper, we develop a novel methodology for capturing, characterizing, and tracking network activities at the block-level by carefully selecting a port feature vector and capturing the port activities of individual hosts within a block using a block-wise (host) port activity matrix (BPAM). Applying the SVD low-rank approximation technique, we obtain a low-dimensional subspace representation which captures the significant and typical host activities of the block. Using these subspace representations, we cluster and classify blocks to provide high-level descriptive labels to assist network operators and security analysts to gain insight into the network activities. We also develop novel methods to track and quantify changes in blocks' behaviors over time, and demonstrate how these methods can be utilized to identify major changes and anomalies within the network.
AB - Gaining a better knowledge of one's own network is crucial to effectively manage and secure today's large, diverse campus and enterprise networks. Because of the large number of IP addresses (or hosts) and the prevalent use of dynamic IP addresses, profiling and tracking individual hosts within such large networks may not be effective nor scalable. In this paper, we develop a novel methodology for capturing, characterizing, and tracking network activities at the block-level by carefully selecting a port feature vector and capturing the port activities of individual hosts within a block using a block-wise (host) port activity matrix (BPAM). Applying the SVD low-rank approximation technique, we obtain a low-dimensional subspace representation which captures the significant and typical host activities of the block. Using these subspace representations, we cluster and classify blocks to provide high-level descriptive labels to assist network operators and security analysts to gain insight into the network activities. We also develop novel methods to track and quantify changes in blocks' behaviors over time, and demonstrate how these methods can be utilized to identify major changes and anomalies within the network.
UR - http://www.scopus.com/inward/record.url?scp=79551654016&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=79551654016&partnerID=8YFLogxK
U2 - 10.1109/GLOCOM.2010.5684140
DO - 10.1109/GLOCOM.2010.5684140
M3 - Conference contribution
AN - SCOPUS:79551654016
SN - 9781424456383
T3 - GLOBECOM - IEEE Global Telecommunications Conference
BT - 2010 IEEE Global Telecommunications Conference, GLOBECOM 2010
Y2 - 6 December 2010 through 10 December 2010
ER -