@inproceedings{2e7911b1bb9c425393a2cf2e61172542,
title = "Relational network-service clustering analysis with set evidences",
abstract = "Network administrators are faced with a large amount of network data that they need to sift through to analyze user behaviors and detect anomalies. Through a network monitoring tool, we obtained TCP and UDP connection records together with additional information of the associated users and software in an enterprise network. Instead of using traditional payload inspection techniques, we propose a method that clusters such network traffic data by using relations between entities so that it can be analyzed for frequent behaviors and anomalies. Relational methods like Markov Logic Networks is able to avoid the feature extraction stage and directly handle multi-relation situations. We extend the common pairwise representation in relational models by adopting set evidence to build a better objective for the network service clustering problem. The automatic clustering process helps the administrator filter out normal traffic in shorter time and get an abstract overview of opening transport layer ports in the whole network, which is beneficial for assessing network security risks. Experimental results on synthetic and real datasets suggest that our method is able to discover underlying services and anomalies (malware or abused ports) with good interpretations.",
keywords = "Clustering, Network service, Relational learning",
author = "Li Pu and Boi Faltings and Qiang Yang and Hu, \{Derek Hao\}",
year = "2010",
doi = "10.1145/1866423.1866432",
language = "English",
isbn = "9781450300889",
series = "Proceedings of the ACM Conference on Computer and Communications Security",
pages = "35--44",
booktitle = "Proceedings of the 3rd ACM Workshop on Artificial Intelligence and Security, AISec '10, Co-located with CCS'10",
note = "3rd ACM Workshop on Artificial Intelligence and Security, AISec '10, Co-located with CCS'10 ; Conference date: 04-01-2010 Through 08-10-2010",
}