A Dependency Analysis for Traffic Anomaly Detection

This paper describes an approach to enforce dependencies between network traffic and user activities for anomaly detection. We present a framework and algorithms that analyze user actions and network events on a host according to their dependencies. Discovering these relations is useful in identifying anomalous events on a host that are caused by software flaws or malicious code. To demonstrate the feasibility of user intention-based traffic dependence analysis, we implement a prototype called CR-Miner and perform extensive experimental evaluation of the accuracy, security, and efficiency of our algorithm. The results show that our algorithm can identify user intention-based traffic dependence with high accuracy (average 99.6% for 20 users) and low false alarm rates. Our prototype can successfully detect several pieces of HTTPbased real-world spyware. We show that user intention-based traffic dependency is a safety property along with the corresponding security automaton as defined in Schneider’s EM-enforceable security framework. This formalization demonstrates that dependency enforcement has useful characteristics for practical and scalable deployment.