MADCAT: Maltraffic Analysis and Detection in Challenging and Aggregate Traffic (NeTS-NBD)

Project Description

The MR-Net project ran from 2006 to 2010 and is now complete. Its research results are now used by several other projects at ISI and elsewhere. For follow-on work, please see current work by the ANT Lab.

MADCAT is a joint research effort of USC/Information Sciences Institute, USC’s Electrical Engineering Dept., and Colorado State University’s Computer Science Dept.

The Internet can be a dangerous place, with malware taking control of users’ computers and turning them against others or themselves. Many compromised computers generate maltraffic, which includes denial-of-service (DoS) attacks, spyware reporting home, unauthorized applications (applications in violation of a corporate acceptable use policy such as peer-to-peer file sharing, chat, games), spam (both inbound and outbound), and worms.

Firewalls, intrusion detection systems, anti-virus programs, proxies and filters all try to defend against maltraffic. Unfortunately, defense is increasingly difficult due to traffic encryption, edge-level aggregation (making filtering and blacklisting result in collateral damage), and large traffic volumes and active cloaking allowing maltraffic to hide itself.

MADCAT proposes to use signal processing and detection theory as new tools to address these problems in detecting maltraffic.

MADCAT is supported by the National Science Foundation’s Networking Technology and Systems (NeTS) program, grant number CNS-0626696.

People

Publications

  • Lin Quan, John Heidemann and Yuri Pradkin 2012. Detecting Internet Outages with Precise Active Probing (extended). Technical Report ISI-TR-2012-678b. USC/Information Sciences Institute. [PDF] Details
  • Lin Quan and John Heidemann 2011. Detecting Internet Outages with Active Probing (extended). Technical Report ISI-TR-2011-672. USC/Information Sciences Institute. [PDF] Details
  • Lin Quan and John Heidemann 2010. On the Characteristics and Reasons of Long-lived Internet Flows. Proceedings of the ACM Internet Measurement Conference (Melbourne, Australia, Nov. 2010), 444–450. [DOI] [PDF] Details
  • Xue Cai and John Heidemann 2010. Understanding Block-level Address Usage in the Visible Internet. Proceedings of the ACM SIGCOMM Conference (New Delhi, India, Aug. 2010), 99–110. [DOI] [PDF] Details
  • Gautam Thatte, Urbashi Mitra and John Heidemann 2010. Parametric Methods for Anomaly Detection in Aggregate Traffic. ACM/IEEE Transactions on Networking. 19, 2 (Aug. 2010), 512–525. [DOI] [PDF] Details
  • Xue Cai and John Heidemann 2010. Understanding Block-level Address Usage in the Visible Internet (extended). Technical Report ISI-TR-2009-665. USC/Information Sciences Institute. [PDF] Details
  • Lin Quan and John Heidemann 2010. On the Characteristics and Reasons of Long-lived Internet Flows (extended). Technical Report ISI-TR-2010-667. USC/Information Sciences Institute. [PDF] Details
  • Chris Wilcox, Christos Papadopoulos and John Heidemann 2010. Correlating Spam Activity with IP Address Characteristics. Proceedings of the IEEE Global Internet Symposium (San Diego, California, USA, Mar. 2010), 1–6. [DOI] [PDF] Details
  • Genevieve Bartlett, John Heidemann and Christos Papadopoulos 2009. Using Low-Rate Flow Periodicities for Anomaly Detection: Extended. Technical Report ISI-TR-2009-661. USC/Information Sciences Institute. [PDF] Details
  • Gautam Thatte, Urbashi Mitra and John Heidemann 2009. Parametric Methods for Anomaly Detection in Aggregate Traffic. Technical Report ISI-TR-2009-663b. USC/Information Sciences Institute. [PDF] Details
  • Gautam Thatte, Urbashi Mitra and John Heidemann 2009. Parametric Methods for Anomaly Detection in Aggregate Traffic. Technical Report ISI-TR-2009-663. USC/Information Sciences Institute. [PDF] Details
  • John Heidemann and Christos Papadopoulos 2009. Uses and Challenges for Network Datasets. Proceedings of the IEEE Cybersecurity Applications and Technologies Conference for Homeland Security (CATCH) (Washington, DC, USA, Mar. 2009), 73–82. [DOI] [PDF] Details
  • Xue Cai and John Heidemann 2009. Understanding Address Usage in the Visible Internet. Technical Report ISI-TR-2009-656. USC/Information Sciences Institute. [PDF] Details
  • Xinming He, Christos Papadopoulos, John Heidemann, Urbashi Mitra and Usman Riaz 2009. Remote Detection of Bottleneck Links Using Spectral and Statistical Methods. Computer Networks. 53, 3 (Feb. 2009), 279–298. [DOI] [PDF] Details
  • John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Genevieve Bartlett and Joseph Bannister 2008. Census and Survey of the Visible Internet. Proceedings of the ACM Internet Measurement Conference (Vouliagmeni, Greece, Oct. 2008), 169–182. [PDF] Details
  • Xue Cai and John Heidemann 2008. Active Probing to Classify Internet Address Blocks (poster abstract). Proceedings of the ACM SIGCOMM Conference (Seattle, Washington, USA, Aug. 2008), to appear. [PDF] Details
  • Xue Cai and John Heidemann 2008. Active Probing to Classify Internet Address Blocks (poster abstract). Technical Report ISI-TR-2008-653. USC/Information Sciences Institute. [PDF] Details
  • Gautam Thatte, Urbashi Mitra and John Heidemann 2008. Detection of Low-Rate Attacks in Computer Networks. Proceedings of the 11th IEEE Global Internet Symposium (Phoenix, Arizona, USA, Apr. 2008), 1–6. [DOI] [PDF] Details
  • John Heidemann, Yuri Pradkin, Ramesh Govindan, Christos Papadopoulos, Genevieve Bartlett and Joseph Bannister 2008. Census and Survey of the Visible Internet (extended). Technical Report ISI-TR-2008-649b. USC/Information Sciences Institute. [PDF] Details
  • Genevieve Bartlett, John Heidemann, Christos Papadopoulos and James Pepin 2007. Estimating P2P Traffic Volume at USC. Technical Report ISI-TR-2007-645. USC/Information Sciences Institute. [PDF] Details
  • Urbashi Mitra, Antonio Ortega, John Heidemann and Christos Papadopoulos 2006. Detecting and Identifying Malware: A New Signal Processing Goal. IEEE Signal Processing Magazine. 23, 5 (Sep. 2006), 107–111. [PDF] Details
  • Alefiya Hussain, John Heidemann and Christos Papadopoulos 2006. Identification of Repeated Denial of Service Attacks. Proceedings of the IEEE Infocom (Barcelona, Spain, Apr. 2006), to appear. [PDF] Details
  • Xinming He, Christos Papadopoulos, John Heidemann, Urbashi Mitra, Usman Riaz and Alefiya Hussain 2005. Spectral Analysis of Bottleneck Traffic. Technical Report USC-CSD-TR-05-854. University of Southern California Computer Science Department. [PDF] Details
  • Alefiya Hussain, John Heidemann and Christos Papadopoulos 2004. Distinguishing between Single and Multi-source Attacks using Signal Processing. Computer Networks. 46, 4 (Nov. 2004), 479–503. [PDF] Details
  • Xinming He, Christos Papadopoulos, John Heidemann and Alefiya Hussain 2004. Spectral Characteristics of Saturated Links. Technical Report USC-CSD-TR-827. University of Southern California Computer Science Department. [PDF] Details

For related publications, please see the ANT publications web page.

Software

See also the ANT software web page.

Traces

See the ANT traces page.