Communication recurrence and similarity detection in network flows

Abstract

Network flow analysis has applications in security monitoring. Flow analysis techniques like periodicity and self similarity detection are often used to model and understand the application traffic behavior. In this paper we propose a method to identify recurring and similar network flows which can be used in security monitoring. To identify recurring network flows we generate a communication graph of a host every ΔΤ time interval with its peers and find the intersection of these graphs successively. The edges which remain after the intersection will be used as candidates for similarity detection. We estimate the similarity between successive flows between a pair of hosts by measuring Manhattan distance between the features of flows. The recurring flow which shows small distance between successive flows will be identified as similar. Subsequently we adapt this technique to botnet detection as a case study. We experiment with a recently released public botnet dataset and show that our method is able to identify botnet C&C activities which exhibit similarity in communication. © 2017 IEEE.