Michalis Faloutsos (UCR)
The fundamental problem that motivates this work is the need to detect and classify emerging and undesired applications in a network, such as a large ISP, or an enterprise network. The undesired applications can refer to Peer-To-Peer (P2P) protocols, which can dominate network resources, but also include malware such as intrusions and worms. This proposal addresses the following tightly related problems in this area of research: (a) monitoring and visualizing network traffic, (b) identifying applications, and (c) detecting anomalies.
Monitoring the traffic and detecting unwanted applications is far from trivial. The authors of controversial applications often obfuscate their traffic to make them very hard to detect by using encryption or ever-changing behavior. Thus, there is a need for an approach that has the following properties: (a) it is easy to use with few and intuitive parameters, (b) it can operate even when packet payload is unavailable, and (c) it does not rely on a priori knowledge of the application specification, such as port numbers. Despite the significant number of previous efforts, most previous work fails to meet one of these three constraints.
The proposal follows a more fundamental behavioral approach, where the detector looks for behavior patterns of the application that are both intrinsic to the application and distinct from other traffic. By identifying intrinsic behaviors, it becomes difficult for application writers to disguise their applications without defeating the very purpose of the application.
The key contribution of this proposal is that it demonstrates the power of a behavioral or graph-based approach to network monitoring. Specifically, the proposal fully explores the use of Traffic Dispersion Graphs or TDGs, which capture the communication pattern in a network, namely, who talks to whom. TDGs capture the ``social" interaction of the network as a whole, which leads to a directed graph; each node is an IP address, and each edge represents an interaction between two nodes. The proposal shows that there is a wealth of information embedded in a TDG, which the other monitoring and application classification methods simply cannot capture.
Broader Impact: This proposal will make enterprise and ISP networks more reliable and safer by providing the basis for a new generation of monitoring and security tools. Service disruptions and malware cost billions of dollars per year to any industry with significant IT infrastructure. At the same time, the Internet has become the battleground of multimillion dollar wars: between industries (content providers versus ISPs on network neutrality) and between the entertainment industry and users (the peer-to-peer saga). The proposal will provide the tools (e.g. application classification) that will play an important role in deciding the future of the network.
Educational Goals: The PI will develop a cross-disciplinary educational program by bringing together networking, security, graph-mining, and social networks research. In addition, the PIs will develop programs to: (a) encourage the early involvement of both undergraduate and graduate students in research and teaching, and (b) increase the participation of minorities in higher education in engineering.
