Spectral Analysis of Network Traffic

Professor John Heidemann - Information Sciences Institute University of Southern California

Spectral analysis can help to find information in any sort of periodic data. Some network traffic has periodic data to it; for example a 100Mb connection with 1500MTU should be sending out packets at 7600Hz.

John's group have been looking into a few different areas.

Classification of DOS attacks between single and multiple attackers is possible. Each attacker is sending with a specific frequency. As you add attackers who are slightly out of sync you you tend to see lower frequencies on the FFT graph become more prominent. Musicians would know this from when two notes are slightly out of tune you will hear 'beats' where the two waves re-enforce. Their work was quite reliably able to classify attacks into single or multiple attackers.

To defeat this attackers would either need to be in sync, which entails global clocks, etc, or to vary the packet rate (you need quite a variety of rate to defeat their heuristics). If you are varying the rate then by definition you are not sending as fast as you can, so there may be some benefit there.

Fingerprinting attacks is also possible. They divide up traffic into segments and keep mean and covariance of the frequencies seen in each segment. You can particularly identify "troops" of people attacking you from these fingerprints. This can be useful for reporting cybercrime, as you need to show you are being targeted. Again defeating fingerprinting means varying your frequencies. The limits are one of network limiting, host limiting and tool limiting. Most attacks don't limit themselves, or give a predictable limiting fingerprint. They are usually written badly so are host limited (i.e. they do so much work sending a packet they can't saturate the link). These fingerprints could be detected under with a range background cross-traffic.

Performance analysis is another area the group has started looking into. The main benefit of using spectral analysis is you don't need to analyse individual data flows and the analysis is stateless. You can see where things are network limited by, for example, looking for spikes around 7600Hz on a 100Mb network. You do need to be careful with the FFT windowing to make sure you are seeing decent results.

Questions Do fingerprints look the same when being attacked from LA as from New York, for example? This is an area for future research. Have they studied wireless networks? No, but others are using these techniques. Could you use a vector of packet sizes and do the FFT on that, ameliorating some of the problems with fuzz at different packet sizes? That is possible area for future research. Should networking students take signal processing courses? Maybe!