Modeling repeating behaviors in packet arrivals: Detection and measurement

With the growing stickiness of the Internet, numerous automated programs running in terminal facilities (e.g., laptops) tend to keep closely connected to the Internet by repetitively interacting with remote services. It is of fundamental importance to study such repeating behaviors of automated programs in areas like traffic engineering and network monitoring. This paper focuses on repeating behaviors in packet arrivals that are of interest, aiming at a hierarchical characterization of packet arrivals, detection methods and quantitative metrics. To this end, we present a structure-oriented characterization of packet arrivals, which reflects the temporal structure of repeating behaviors at different scales. Based on such characterization, a repeating behavior detection method is proposed by leveraging online-learning prediction, and two novel metrics of repeating behaviors are proposed from different aspects. In addition, a denoising method is developed to enhance the noise-tolerant capability of detection and measurement in face of noises. Experimental results based on real-world traces demonstrate the effectiveness of our proposed approaches in automated program behavior detection and behavioral botnet analysis.