Skip to content



(Anti)social Behavior in Malicious Internet Source IPs: Characterisation and Detection

Kolaczyk, E (Boston)
Friday 25 June 2010, 16:00-16:45

Seminar Room 1, Newton Institute


We consider the problem of monitoring Internet traffic at the IP address level, for the purpose of identifying malicious source IPs. This problem is highly challenging, due to such diverse factors as data volume, limited measurement vantage, sampling effects, and user privacy concerns. Moreover, efforts typically are made for traffic from the very IP addresses we seek to detect to blend in with the rest of (normal) traffic. In this talk, we present work characterising the traffic behavior of IP source addresses from a social network perspective and exploiting our characterizations to build simple but effective detection tools. Specifically, we analyze network flow data, collected on a major Internet backbone network, in combination with log records from Internet security programs, using both local and global network representations and network analysis tools. Our findings are twofold. First, we show that malicious source nodes in IP traffic are distinctive in their communication behavior, in that they “interact” with other nodes without substantively ‘participating’ in the natural communities within which the latter exist. Second, we demonstrate that, with appropriate social network analysis tools, this behavior can be exploited in developing detection algorithms. This is joint work with Qi Ding, Natallia Katenka, Paul Barford, and Mark Crovella.


The video for this talk should appear here if JavaScript is enabled.
If it doesn't, something may have gone wrong with our embedded player.
We'll get it fixed as soon as possible.

Back to top ∧