Detecting Malicious Clients in ISP Networks Using HTTP Connectivity Graph and Flow Information
Share- Author(s): Liu, Lei; Saha, Sabyasachi; Torres, Ruben; Xu, Jianpeng; Tan, Pang-Ning; Nucci, Antonio; Mellia, Marco
- HP Laboratories
- HPL-2015-29
- Keyword(s):
Abstract: This paper considers an approach to identify previously undetected malicious clients in Internet Service Provider (ISP) networks by combining flow classification with a graph-based score propagation method. Our approach represents all HTTP communications between clients and servers as a weighted, near-bipartite graph, where the nodes correspond to the IP addresses of clients and servers while the links are their interconnections, weighted according to the output of a flow-based classifier. We employ a two-phase alternating score propagation algorithm on the graph to identify suspicious clients in a monitored network. Using a symmetrized weighted adjacency matrix as its input, we show that our algorithm is less vulnerable towards inflating the malicious scores of popular Web servers with high in- degrees compared to the normalization used in PageRank. Experimental results on a 4-hour network trace collected by a large Internet service provider showed that incorporating flow information into score propagation significantly improves the precision of the algorithm.
8 Pages
- External Posting Date: External Posting Date: April 6, 2015 [Fulltext]. Approved for External Publication
- Internal Posting Date: Internal Posting Date: April 6, 2015 [Fulltext]