Transport Traffic Analysis for Abusive Infrastructure Characterization
Download
Author
Nolan, Le E.
Date
2012-09Advisor
Beverly, Robert
Second Reader
Young, Joel D.
Metadata
Show full item recordAbstract
This thesis investigates a novel approach to identifying discriminating features of communications involving abusive hosts. The technique uses per-packet TCP header and timing features to identify congestion, flow-control, and other low-level network and system characteristics. These characteristics are inherent to the poorly connected, under-provisioned, low-end, and overloaded hosts or links typical of abusive infrastructure making them difficult for an adversary to manipulate. Supervised classifiers use these features to infer likely abusive network hosts. Prior work investigates such features to opportunistically identify inbound abusive traffic, this thesis seeks to perform active probing to generally characterize abusive infrastructure. Our approach is IP address and content agnostic, and therefore privacy-preserving to permit wider deployment than known-abusive web sites, we achieve a classification accuracy of 94 percent with a 3 percent false positive rate using only transport features. Our results suggest that transport traffic analysis can block and identify, in real-time, abusive hosts unknown to blocklists, and provide a difficult-to-subvert addition to existing schemes.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. As such, it is in the public domain, and under the provisions of Title 17, United States Code, Section 105, is not copyrighted in the U.S.Related items
Showing items related by title, author, creator and subject.
-
Transport traffic analysis for abusive infrastructure characterization
Nolan, Le; Beverly, Robert; Xie, Geoffrey (Monterey, California : Naval Postgraduate School, 2012-12); NPS-CS-12-005We investigate a promising approach that identifies discriminating features of likely communications involving abusive hosts from per-packet TCP header and timing information. These features identify congestion, flow-control, ... -
MalWebID_Autodetection and Identification of Malicious Web Hosts Through Live Traffic Analysis
Nichols, Tony (Monterey, California. Naval Postgraduate School, 2013-03);This thesis investigates the ability for recently devised packet-level Transmission Control Protocols (TCP) transport classifiers to discover abusive traffic flows, especially those not found via traditional methods, e.g., ... -
Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection
Kakavelakis, Georgios; Beverly, Robert; Young, Joel (2011);Botnets are a significant source of abusive messaging (spam, phishing, etc) and other types of malicious traffic. A promising approach to help mitigate botnet-generated traffic is signal analysis of transport-layer (\ie ...