This paper discusses the possibility of applying an imageprocessing technique to detecting anomalies in Internet traffic, which is different from traditional techniques of detecting anomalies. We first demonstrate that anomalous packet behavior in darknet traces often has a characteristic multiscale structure in time and space (e.g., in addresses or ports). These observed structures consist of abnormal and non random uses of particular traffic features. From the observations, we propose a new type of algorithm for detecting anomalies based on a technique of pattern recognition. The key idea underlying our algorithm is that anomalous activities appear as "lines" on temporal-spatial planes, which are easily identified by an edge-detection algorithm. Also, the application of a clustering technique to the lines obtained helps in classifying and labeling the numerous anomalies detected. The proposed algorithm was used to blindly analyze packet traffic traces collected from a trans-Pacific transit link. Furthermore, we compared the anomalies detected by our algorithm with those found by a statistical-based algorithm. Consequently, the comparison revealed that the two algorithms found mainly the same anomalies but some were of various different characteristic types.
In conventional egress network access control (NAC) using access control lists (ACLs), modifying ACLs is a heavy task for administrators. To enable rapid configuration without a large amount of effort by administrators, we introduce capabilities to egress NAC. In our egress NAC, a user can transfer his/her access rights (capabilities) to other persons without asking administrators. To realize capability-based egress NAC, we use DNS messages and IP options to carry capabilities. A resolver of the client sends the user name, domain name, and service name as DNS query messages to a DNS cache server, which issues capabilities according to a policy and sends them as DNS answer messages to the client. The client kernel includes these capabilities in the IP options of packets and sends them to the router. The router checks the capabilities of the packets to determine whether to pass or block them. In this paper, we describe the design and implementation of our method in detail. Experimental results show that our method does not reduce the router's performance.
Abstract. Verifying whether the routing information originating from an AS is being correctly distributed throughout the Internet is important for stable inter-AS routing operation. However, the global behavior of routing information is difficult to understand because it changes spatially and temporally. Thus, rapid detection of inter-AS routing failures and diagnosis of their causes are also difficult. We have developed a multi-agent-based diagnostic system, ENCORE, to cope with these problems, and improved its functions (ENCORE-2) through our experience in applying the system to commercial ISPs. Cooperative actions among ENCORE-2 agents provide efficient methods for collecting, integrating, and analyzing routing information observed in multiple ASes to detect and diagnose anomalies that human operators have difficulty in handling. ENCORE-2 is also applied to the hijacked route problem, which is one of recent major inter-AS issues.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.