Using Low-Rate Flow Periodicities for Anomaly Detection: Extended
Source: Colorado State University
As desktops and servers become more complicated, they employ an increasing amount of automatic, non-user initiated communication. Such communication can be good (OS updates, RSS feed readers, and mail polling), bad (keyloggers, spyware, and botnet command-and-control), or ugly (adware or unauthorized peer-to-peer applications). Communication in these applications is often periodic but infrequent, perhaps every few minutes to few hours. This infrequent communication and the complexity of today's systems make these applications difficult for users to detect and diagnose. The authors show that there are several classes of applications that show low-rate periodicity and demonstrate that they are widely deployed on public networks.