User Intention-Based Traffic Dependence Analysis For Anomaly Detection

Zhang, Hao and Banick, William and Yao, Danfeng (Daphne) and Ramakrishnan, Naren (2012) User Intention-Based Traffic Dependence Analysis For Anomaly Detection. Technical Report TR-12-07, Computer Science, Virginia Tech.

Abstract

This paper describes an approach for enforcing dependencies between network traffic and user activities for anomaly detection. We present a framework and algorithms that analyze user actions and network events on a host according to their dependencies. Discovering these relations is useful in identifying anomalous events on a host that are caused by software flaws or malicious code. To demonstrate the feasibility of user intention-based traffic dependence analysis, we implement a prototype called CR-Miner and perform extensive experimental evaluation of the accuracy, security, and efficiency of our algorithm. The results show that our algorithm can identify user intention-based traffic dependence with high accuracy (average 99:6% for 20 users) and low false alarms. Our prototype can successfully detect several pieces of HTTP-based real-world spyware. Our dependence analysis is fast with a minimal storage requirement. We give a thorough analysis on the security and robustness of the user intention-based traffic dependence approach.