Discovering Patterns of Interest in IP Traffic Using Cliques in Bipartite Link Streams

TL;DR

This paper presents a method to detect dense, structured IP traffic patterns using bipartite cliques in link streams, effectively identifying anomalous activities like botnets and scans in network data.

Contribution

It introduces a novel approach for discovering bipartite cliques in IP traffic link streams to identify suspicious network behaviors.

Findings

Bipartite cliques effectively detect anomalous IP activities.

Method outperforms existing detection techniques.

Identified patterns correspond to known malicious behaviors.

Abstract

Studying IP traffic is crucial for many applications. We focus here on the detection of (structurally and temporally) dense sequences of interactions, that may indicate botnets or coordinated network scans. More precisely, we model a MAWI capture of IP traffic as a link streams, i.e. a sequence of interactions $(t_1 , t_2 , u, v)$ meaning that devices $u$ and $v$ exchanged packets from time $t_1$ to time $t_2$ . This traffic is captured on a single router and so has a bipartite structure: links occur only between nodes in two disjoint sets. We design a method for finding interesting bipartite cliques in such link streams, i.e. two sets of nodes and a time interval such that all nodes in the first set are linked to all nodes in the second set throughout the time interval. We then explore the bipartite cliques present in the considered trace. Comparison with the MAWILab classification of anomalous IP addresses shows that the found cliques succeed in detecting anomalous network activity.