Many compromised computers today generate maltraffic, such as denial-of-service (DoS) attacks, spyware reporting home, unauthorized applications, spam, and worms. Current defenses are becoming increasingly brittle. There are several reasons for this challenge: encryption limits packet content inspecting, aggregation at network edge limits use of filtering and blacklisting due to potential collateral damage, increased traffic volumes allow maltraffic to hide, and applications are often cloaked through layered protocols (SOAP over HTTP or varying port allocation) or active concealment.
This proposal applies signal processing and detection theory to network traffic to detect maltraffic in these challenging scenarios. We will use features such as packet timing and frequency, careful design of the measurement and detection systems, and study of inherent behaviors in protocols to address these challenges.
Broader Impact: The results of this work will include (a) the development of a systematic methodology for applying signal processing methods to network traffic; (b) the analysis of new signal representation and detection methods specific to maltraffic; and (c) the identification, understanding, and modeling of key identifying features and inherent behaviors of maltraffic and how they are shaped by the network. Our new approaches will yield a deeper understanding of network traffic, and will be tested with traces of real network traffic, resulting in new tools to combat these problems.
