Detecting Malicious Clients in ISP Networks Using HTTP Connectivity Graph and Flow Information

Share

Abstract: This paper considers an approach to identify previously undetected malicious clients in Internet Service Provider (ISP) networks by combining flow classification with a graph-based score propagation method. Our approach represents all HTTP communications between clients and servers as a weighted, near-bipartite graph, where the nodes correspond to the IP addresses of clients and servers while the links are their interconnections, weighted according to the output of a flow-based classifier. We employ a two-phase alternating score propagation algorithm on the graph to identify suspicious clients in a monitored network. Using a symmetrized weighted adjacency matrix as its input, we show that our algorithm is less vulnerable towards inflating the malicious scores of popular Web servers with high in- degrees compared to the normalization used in PageRank. Experimental results on a 4-hour network trace collected by a large Internet service provider showed that incorporating flow information into score propagation significantly improves the precision of the algorithm.

8 Pages

  • External Posting Date: External Posting Date: April 6, 2015 [Fulltext]. Approved for External Publication
  • Internal Posting Date: Internal Posting Date: April 6, 2015 [Fulltext]

Back to Listing