Internet Traffic Analysis for Intrusion Detection and Active Queue Management

Our view of Internet traffic analysis is that it is a technique through which simulated and real traffic data is measured, analyzed, and dynamically modeled, with the objective of understanding discrepancies between, on the one hand, the traffic observed and, on the other hand, the traffic predicted by the model. A discrepancy between the traffic predicted by a model identified under "normal" conditions and the traffic observed under unknown network status would indicate an outage, or, more seriously, an intrusion or some illegal activity. From a broader perspective, even in case the traffic is "normal," there will still be a discrepancy between the predicted data and the observed data--because no model is perfect--and it is important to understand how predictable the "normal" traffic is, especially since such techniques as Random Early Detection (RED) and Active Queue Management (AQM) rely on anticipating when a queue will overflow and taking appropriate action to avoid such overflow.

If the network traffic were to follow a Poison or Markovian arrival process, it would have a characteristic burst length which would tend to be smoothed out by averaging over a long enough time scale. Quite on the contrary, the measurements made on real networks indicate that significant traffic burstiness is still present over a wide range of time scale. In fact, traffic in a packet-based network can be characterized by its bursts of activity. These bursts can be idealized as existing at every time scale, from milliseconds to days, and as looking similar independently of the time scale, i.e., the traffic can be idealized as self-similar. One characteristic of self-similar traffic is long range dependence (LRD).

Based on a preliminary analysis of individual sources on an Ethernet, Wilinger observed that individual sources can be represented by the familiar ON/OFF abstraction: the source is either transmitting at a peak rate when it is in the ON state, or it is completely idle when it is in the OFF state. So, this observation motivates the investigation of ON/OFF traffic, in which the distribution of times in one of the two states (ON) is heavy tailed, meaning the variance is infinite. One approach to model this type of traffic is having ON periods uniformly distributed with the number of sources and the shape of the parameter Pareto distributed to adjust the number of synthesized work load.

The above mentioned procedure was followed to generate synthesized workload by Network Simulator and Topogen. As expected, the traffic was manifesting self-similar properties. The simulations were done on Constant Bit Rate (CBR) traffic, FTP traffic, WWW traffic, on the dumbbell and parking lot topologies, and on hundred node random topologies reflecting the real Internet.

The major tool used in the analysis of the traffic, in terms of throughput, link utilization, and packet drops, is the Canonical Correlation Analysis. The latter is a technique for assessing, in terms of the canonical correlation coefficients and the Akaike mutual information, the amount of interdependence between the past and the future of the traffic signal. Should the mutual information be large enough, then a reliable state space model, also referred to as innovation model, of the traffic can be constructed. Such a related method as the Alternating Conditional Expectation (ACE) was also used to construct nonlinear autoregressive (AR) models.

Regarding the specific intrusion detection application, we observed that an intrusion (CBR attack, UDP flooding) is almost always accompanied by a change in the Akaike mutual information relative to the "normal" traffic. However, under an intrusion, the mutual information could increase or decrease, depending on the nature of the attack and the status of the traffic before the attack. Such a change in some "signature" of the traffic signal that could go either way under intrusion was also observed by the group of Stephen F. Bush at General Electric, using the Kolmogorov complexity instead of the Akaike mutual information as "signature" of the traffic.

Still within the intrusion detection application, we consistently observed a deterioration of the ability of models identified under normal conditions to predict the traffic under attack conditions. This leads to yet another intrusion detection scheme.

Regarding predictability of the traffic under normal network status with a view toward Active Queue Management (AQM), we reached the conclusion that traffic is not predictable well enough to afford AQM at low time scales, while this can be done a higher time scales. With a slightly varying drop probability imposed as control action, the TCP dynamics from drop probability to packet arrival can be linearized. As the time scale decreases, we observed a progressive deterioration of the ability to control the open-loop dynamics as revealed by the pole/zero configuration that goes from a well-damped stable/minimum phase configuration at large time scales all the way to lightly damped, nearly unstable/nonminimum phase configuration at low time scales. The pole/zero configuration passes through a dramatic transition when the time scale is of the same order as the Round Trip Time (RTT). Interestingly, the open-loop dynamics at low time scale reveals oscillatory poles, the periods of which appeared amazingly consistent with the RTT. This indicates that the identification was accurately done.

On a slightly different tone, the discrepancy between pole/zero configuration at low time scale and at large time scale indicates that traffic is not quite self-similar at all time scales, as it has been claimed.

For more information about this project, contact Khushboo Shah, Ph. D., at khushboo@usc.edu or at khushboo.shah@nevisnetworks.com. You may also contact Prof. S. Bohacek at bohacek@eecis.udel.edu.

Selected publications

K. Shah and E. A. Jonckheere, Dynamic modeling of Internet traffic, National Science Foundation Southwest Regional Workshop on New Directions in Dynamical Systems, University of Southern California, Los Angeles, CA, Nov. 16-19, 2000.
K. Shah, E. Jonckheere, and S. Bohacek, Linear versus nonlinear canonical correlation analysis of HTTP versus FTP traffic, Technical Report, Department of Electrical Engineering--Systems, University of Southern California, Los Angeles, CA, December 2001.
K. Shah, E. Jonckheere, and S. Bohacek, Dynamic modeling of Internet traffic for intrusion detection, American Control Conference (ACC2002), Anchorage, Alaska, May 08-10, 2002, Session TM06, pp. 2436-2442.
K. Shah, S. Bohacek and E. Jonckheere, "On predictability of data network traffic," American Control Conference (ACC2003), Denver, Colorado, June 04-06, 2003, Session: Communications, WP-08-4, pp. 1619-1624.
E. Jonckheere and P. Lohsoonthorn, "The geometry of network security," American Control Conference (ACC2004), Boston, MA, June, 2004.
H. Yousefi'zadeh, E. Jonckheere, and J. Sylvester, "Utilizing neural networks to reduce packet loss in self-similar teletraffic patterns," IEEE International Conference on Communications (ICC 2003), Anchorage, Alaska, May 11-15, 2003.
H. Yousefi'zadeh and E. Jonckheere, "Dynamic neural based buffer management for queuing systems with self-similar characteristics," IEEE Transactions on Neural Networks, Special Issue on Adaptive Learning Systems in Communications Networks, volume 16, pp. 1163-1173, September 2005.
S. Bohacek, E. Jonckheere, and K. Shah, "On the performance limitation of Active Queue Management (AQM)," IEEE Conference on Decision and Control (CDC 2004), Atlantis, Paradise Island, Bahamas, December 14-17, 2004, pp. 1016-1022.
K. Shah, S. Bohacek, and E. Jonckheere, "On the performance limitation of Active Queue Management," submitted to IEEE Transactions on Automatic Control, 2005. [The data used in this paper is available from the following MATLAB *.mat files: DATA0, DATA1, DATA2, DATA3, DATA4, DATA5, DATA6, DATA7, DATA8, DATA9; clicking on a specific file will open MATLAB at your end and load the data in the MATLAB workspace; you will have three variables: SampleRate (the sampling rate), num (numerator polynomial), and den (denominator polynomial); depending on your end workstation, you may be offered the option of just saving the file if you so prefer.]
K. Shah, E. Jonckheere and S. Bohacek, "Dynamics modeling of Internet traffic for intrusion detection," EURASIP, The European Association for Signal, Speech and Image Processing, accepted subject to revisions, 2005. [This paper relies heavily on, E. A. Jonckheere and B.-F. Wu, Mutual Kolmogorov-Sinai entropy approach to nonlinear estimation," IEEE Conference on Decision and Control, Tucson, AZ, Dec. 1992, pp. 2226-2232.]

References

E. A. Jonckheere and Bing-Fei Wu, "Mutual Kolmogorov-Sinai entropy approach to nonlinear estimation," IEEE Conference on Decision and Control, Tucson, Arizona, Dec. 1992, pp. 2226-2232.
N. Haydn and E. Jonckheere, On mutual information, to be submitted, 2005.