Detection of Illicit Network Activities Based on Multivariate Gaussian Fitting of Multi-Scale Traffic Characteristics

Methodologies that are able to accurately identify Internet attacks and intrusions are becoming vital to assure secure on-line communications. Such methodologies must be able to act under strict confidentiality restrictions, such as traffic encryption, which are increasingly used in current communication environments. Proposed approaches must be able to analyze the traffic profiles in order to determine if the network is under a security attack or not. In this paper, we propose an approach that was designed to cope with the previously mentioned restrictions and is able to perform a pseudo real-time identification of illicit traffic: by passively analyzing some statistical properties of captured IP traffic, the methodology calculates and analyses the multi-scale properties of each traffic flow in order to infer multi-dimensional probability distributions for each one of studied protocols, allowing the analysis of the correlation between the values of several dimensions. By doing this, more exact approximations are inferred, enabling the assignment of unknown traffic to the corresponding protocol and the identification of illicit flows. The results obtained prove that the proposed technique can accurately classify Internet traffic and identify illicit flows on a quasi real-time basis. Besides, the fact that the analysis is performed over statistics that were collected for each traffic flow makes it suitable for scenarios where the packet payload is not accessible.