A real-time system for abusive network traffic detection

Download
Author
Kakavelakis, Georgios.
Date
2011-03Advisor
Beverly, Robert
Second Reader
Young, Joel D.
Metadata
Show full item recordAbstract
Abusive network traffic--to include unsolicited e-mail, malware propagation, and denial-of-service attacks--remains a constant problem in the Internet. Despite extensive research in, and subsequent deployment of, abusive-traffic detection infrastructure, none of the available techniques addresses the problem effectively or completely. The fundamental failing of existing methods is that spammers and attack perpetrators rapidly adapt to and circumvent new mitigation techniques. Analyzing network traffic by exploiting transport-layer characteristics can help remedy this and provide effective detection of abusive traffic. Within this framework, we develop a real-time, online system that integrates transport layer characteristics into the existing SpamAssasin tool for detecting unsolicited commercial e-mail (spam). Specifically, we implement the previously proposed, but undeveloped, SpamFlow technique. We determine appropriate algorithms based on classification performance, training required, adaptability, and computational load. We evaluate system performance in a virtual test bed and live environment and present analytical results. Finally, we evaluate our system in the context of Spam Assassin's auto-learning mode, providing an effective method to train the system without explicit user interaction or feedback.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.Related items
Showing items related by title, author, creator and subject.
-
Transport Traffic Analysis for Abusive Infrastructure Characterization
Nolan, Le E. (Monterey, California. Naval Postgraduate School, 2012-09);This thesis investigates a novel approach to identifying discriminating features of communications involving abusive hosts. The technique uses per-packet TCP header and timing features to identify congestion, flow-control, ... -
MalWebID_Autodetection and Identification of Malicious Web Hosts Through Live Traffic Analysis
Nichols, Tony (Monterey, California. Naval Postgraduate School, 2013-03);This thesis investigates the ability for recently devised packet-level Transmission Control Protocols (TCP) transport classifiers to discover abusive traffic flows, especially those not found via traditional methods, e.g., ... -
Auto-learning of SMTP TCP Transport-Layer Features for Spam and Abusive Message Detection
Kakavelakis, Georgios; Beverly, Robert; Young, Joel (2011);Botnets are a significant source of abusive messaging (spam, phishing, etc) and other types of malicious traffic. A promising approach to help mitigate botnet-generated traffic is signal analysis of transport-layer (\ie ...