Kaleido: Network traffic attribution using multifaceted footprinting

Ting Wang; Fei Wang; Reiner Sailer; Douglas Schales

doi:10.1137/1.9781611973440.80

Kaleido: Network traffic attribution using multifaceted footprinting

Ting Wang, Fei Wang, Reiner Sailer, Douglas Schales

College of Information Sciences and Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

3 Scopus citations

Abstract

Network traffic attribution, namely, inferring users responsible for activities observed on network interfaces, is one fundamental yet challenging task in network security forensics. Compared with other user-system interaction records, network traces are inherently coarsegrained, context-sensitive, and detached from user ends. This paper presents Kaleido, a new network traffic attribution tool with a series of key features: a) it adopts a new class of inductive discriminant models to capture user- and context-specific patterns ("footprints") from different aspects of network traffic; b) it applies efficient learning methods to extracting and aggregating such footprints from noisy historical traces; c) with the help of novel indexing structures, it is able to perform efficient, runtime traffic attribution over high-volume network traces. The efficacy of Kaleido is evaluated with extensive experimental studies using the real network traces collected over three months in a large enterprise network.

Original language	English (US)
Title of host publication	SIAM International Conference on Data Mining 2014, SDM 2014
Editors	Pang Ning-Tan, Arindam Banerjee, Srinivasan Parthasarathy, Zoran Obradovic, Chandrika Kamath, Mohammed Zaki
Publisher	Society for Industrial and Applied Mathematics Publications
Pages	695-703
Number of pages	9
ISBN (Electronic)	9781510811515
DOIs	https://doi.org/10.1137/1.9781611973440.80
State	Published - 2014
Event	14th SIAM International Conference on Data Mining, SDM 2014 - Philadelphia, United States Duration: Apr 24 2014 → Apr 26 2014

Publication series

Name	SIAM International Conference on Data Mining 2014, SDM 2014
Volume	2

Other

Other	14th SIAM International Conference on Data Mining, SDM 2014
Country/Territory	United States
City	Philadelphia
Period	4/24/14 → 4/26/14

All Science Journal Classification (ASJC) codes

Computer Science Applications
Software

Access to Document

10.1137/1.9781611973440.80

Cite this

Wang, T., Wang, F., Sailer, R., & Schales, D. (2014). Kaleido: Network traffic attribution using multifaceted footprinting. In P. Ning-Tan, A. Banerjee, S. Parthasarathy, Z. Obradovic, C. Kamath, & M. Zaki (Eds.), SIAM International Conference on Data Mining 2014, SDM 2014 (pp. 695-703). (SIAM International Conference on Data Mining 2014, SDM 2014; Vol. 2). Society for Industrial and Applied Mathematics Publications. https://doi.org/10.1137/1.9781611973440.80

Wang, Ting ; Wang, Fei ; Sailer, Reiner et al. / Kaleido : Network traffic attribution using multifaceted footprinting. SIAM International Conference on Data Mining 2014, SDM 2014. editor / Pang Ning-Tan ; Arindam Banerjee ; Srinivasan Parthasarathy ; Zoran Obradovic ; Chandrika Kamath ; Mohammed Zaki. Society for Industrial and Applied Mathematics Publications, 2014. pp. 695-703 (SIAM International Conference on Data Mining 2014, SDM 2014).

@inproceedings{9dbaf4d5e2524eaab0f9c460fb68b7c2,

title = "Kaleido: Network traffic attribution using multifaceted footprinting",

abstract = "Network traffic attribution, namely, inferring users responsible for activities observed on network interfaces, is one fundamental yet challenging task in network security forensics. Compared with other user-system interaction records, network traces are inherently coarsegrained, context-sensitive, and detached from user ends. This paper presents Kaleido, a new network traffic attribution tool with a series of key features: a) it adopts a new class of inductive discriminant models to capture user- and context-specific patterns ({"}footprints{"}) from different aspects of network traffic; b) it applies efficient learning methods to extracting and aggregating such footprints from noisy historical traces; c) with the help of novel indexing structures, it is able to perform efficient, runtime traffic attribution over high-volume network traces. The efficacy of Kaleido is evaluated with extensive experimental studies using the real network traces collected over three months in a large enterprise network.",

author = "Ting Wang and Fei Wang and Reiner Sailer and Douglas Schales",

note = "Publisher Copyright: {\textcopyright} SIAM.; 14th SIAM International Conference on Data Mining, SDM 2014 ; Conference date: 24-04-2014 Through 26-04-2014",

year = "2014",

doi = "10.1137/1.9781611973440.80",

language = "English (US)",

series = "SIAM International Conference on Data Mining 2014, SDM 2014",

publisher = "Society for Industrial and Applied Mathematics Publications",

pages = "695--703",

editor = "Pang Ning-Tan and Arindam Banerjee and Srinivasan Parthasarathy and Zoran Obradovic and Chandrika Kamath and Mohammed Zaki",

booktitle = "SIAM International Conference on Data Mining 2014, SDM 2014",

address = "United States",

}

Wang, T, Wang, F, Sailer, R & Schales, D 2014, Kaleido: Network traffic attribution using multifaceted footprinting. in P Ning-Tan, A Banerjee, S Parthasarathy, Z Obradovic, C Kamath & M Zaki (eds), SIAM International Conference on Data Mining 2014, SDM 2014. SIAM International Conference on Data Mining 2014, SDM 2014, vol. 2, Society for Industrial and Applied Mathematics Publications, pp. 695-703, 14th SIAM International Conference on Data Mining, SDM 2014, Philadelphia, United States, 4/24/14. https://doi.org/10.1137/1.9781611973440.80

Kaleido: Network traffic attribution using multifaceted footprinting. / Wang, Ting; Wang, Fei; Sailer, Reiner et al.
SIAM International Conference on Data Mining 2014, SDM 2014. ed. / Pang Ning-Tan; Arindam Banerjee; Srinivasan Parthasarathy; Zoran Obradovic; Chandrika Kamath; Mohammed Zaki. Society for Industrial and Applied Mathematics Publications, 2014. p. 695-703 (SIAM International Conference on Data Mining 2014, SDM 2014; Vol. 2).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Kaleido

T2 - 14th SIAM International Conference on Data Mining, SDM 2014

AU - Wang, Ting

AU - Wang, Fei

AU - Sailer, Reiner

AU - Schales, Douglas

N1 - Publisher Copyright: © SIAM.

PY - 2014

Y1 - 2014

N2 - Network traffic attribution, namely, inferring users responsible for activities observed on network interfaces, is one fundamental yet challenging task in network security forensics. Compared with other user-system interaction records, network traces are inherently coarsegrained, context-sensitive, and detached from user ends. This paper presents Kaleido, a new network traffic attribution tool with a series of key features: a) it adopts a new class of inductive discriminant models to capture user- and context-specific patterns ("footprints") from different aspects of network traffic; b) it applies efficient learning methods to extracting and aggregating such footprints from noisy historical traces; c) with the help of novel indexing structures, it is able to perform efficient, runtime traffic attribution over high-volume network traces. The efficacy of Kaleido is evaluated with extensive experimental studies using the real network traces collected over three months in a large enterprise network.

AB - Network traffic attribution, namely, inferring users responsible for activities observed on network interfaces, is one fundamental yet challenging task in network security forensics. Compared with other user-system interaction records, network traces are inherently coarsegrained, context-sensitive, and detached from user ends. This paper presents Kaleido, a new network traffic attribution tool with a series of key features: a) it adopts a new class of inductive discriminant models to capture user- and context-specific patterns ("footprints") from different aspects of network traffic; b) it applies efficient learning methods to extracting and aggregating such footprints from noisy historical traces; c) with the help of novel indexing structures, it is able to perform efficient, runtime traffic attribution over high-volume network traces. The efficacy of Kaleido is evaluated with extensive experimental studies using the real network traces collected over three months in a large enterprise network.

UR - http://www.scopus.com/inward/record.url?scp=84959932810&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84959932810&partnerID=8YFLogxK

U2 - 10.1137/1.9781611973440.80

DO - 10.1137/1.9781611973440.80

M3 - Conference contribution

AN - SCOPUS:84959932810

T3 - SIAM International Conference on Data Mining 2014, SDM 2014

SP - 695

EP - 703

BT - SIAM International Conference on Data Mining 2014, SDM 2014

A2 - Ning-Tan, Pang

A2 - Banerjee, Arindam

A2 - Parthasarathy, Srinivasan

A2 - Obradovic, Zoran

A2 - Kamath, Chandrika

A2 - Zaki, Mohammed

PB - Society for Industrial and Applied Mathematics Publications

Y2 - 24 April 2014 through 26 April 2014

ER -

Wang T, Wang F, Sailer R, Schales D. Kaleido: Network traffic attribution using multifaceted footprinting. In Ning-Tan P, Banerjee A, Parthasarathy S, Obradovic Z, Kamath C, Zaki M, editors, SIAM International Conference on Data Mining 2014, SDM 2014. Society for Industrial and Applied Mathematics Publications. 2014. p. 695-703. (SIAM International Conference on Data Mining 2014, SDM 2014). doi: 10.1137/1.9781611973440.80

Kaleido: Network traffic attribution using multifaceted footprinting

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this