Lightweight Hierarchical Network Traffic Clustering Abdulrahman - - PowerPoint PPT Presentation

lightweight hierarchical network traffic clustering
SMART_READER_LITE
LIVE PREVIEW

Lightweight Hierarchical Network Traffic Clustering Abdulrahman - - PowerPoint PPT Presentation

Feb 07, 2024 278 likes •337 views

Lightweight Hierarchical Network Traffic Clustering Lightweight Hierarchical Network Traffic Clustering Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji Carleton University December 8, 2007 Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji

slide-1
SLIDE 1

Lightweight Hierarchical Network Traffic Clustering

Lightweight Hierarchical Network Traffic Clustering

Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji

Carleton University

December 8, 2007

Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji

slide-2
SLIDE 2

Lightweight Hierarchical Network Traffic Clustering

Problem Statement

The complexity of current Internet applications makes the understanding of network traffic a challenging task. New Applications/Protocols/Attacks appear all the time. Current solutions have limitations:

1

classifiers based on packet header information are fast but fail with unknown protocols and obfuscated traffic

2

protocol dissectors are more accurate but are very slow

3

machine learning past work identifies traffic as belonging to a small set of pre-defined classes

Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji

slide-3
SLIDE 3

Lightweight Hierarchical Network Traffic Clustering

ADHIC: Our Complementary Solution

ADHIC (Approximate Divisive HIerarchical Clustering) is a new real-time algorithm that clusters similar network traffic together without prior knowledge of protocol structures. Packet similarity is determined through comparisons of substrings within packets at distinguishing offsets. ADHIC:

1

finds semantically interesting clusters and appropriately segregates well-known protocols,

2

clusters together traffic of the same protocol running on multiple ports,

3

segregates traffic from applications, such as p2p, that do not use standard ports, and

4

adapts to changing nature of traffic patterns.

Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji

slide-4
SLIDE 4

Lightweight Hierarchical Network Traffic Clustering

Why ADHIC?

ADHIC is notable in that it

1

produces a hierarchical decomposition of network traffic in the form of a cluster-identifying decision tree,

2

does not assume prior knowledge of protocols and is unsupervised in every stage in operation,

3

needs only a small fraction of packets (about 3% in our traces) to generate a decision tree, and

4

can be used to cluster packets at wire speeds (250 Mbps in an unoptimized software implementation).

NetADHICT, our implementation of ADHIC is available at: http://www.ccsl.carleton.ca/software

Abdulrahman Hijazi, Hajime Inoue, Anil Somayaji