Large-Scale Network Traffic Analysis for Estimating the Size of IP Addresses and Detecting Traffic Anomalies - Large Scale and Big Data: Processing and Management

Database Reference

In-Depth Information

queries is at least one order of magnitude more than the clicks, the query traffic is

expected to come from more IPs, which better cover the IP space than the click traf-

fic. Hence, the probability any IP generates traffic on two distinct IP-period is higher

for queries than clicks, which explains the higher query-coverage.

14.5 DETECTING MACHINE-GENERATED ATTACKS

We now describe the IP size distribution filter proposed in [22]. This filter uses the

IP size estimates to detect abusive ad click traffic. It combines several desirable char-

acteristics: it successfully detects fraudulent traffic; it has low complexity and it is

easy to parallelize, making it suitable for large-scale fraud detection; it is based on

a fundamental characteristic of machine-generated traffic, and is thus robust (e.g.,

to DHCP reassignment) and hard to evade; and finally, it does not entail profiling

users individually, but leverages only aggregate statistics. This traffic filter has been

deployed at Google, thanks to its high accuracy.

14.5.1 o bserveD iP s ize D istributions

Different publishers naturally exhibit different empirical IP size distributions.

Figure 14.7 shows two examples of IP size distributions that are typically seen on (1)

a website that receives mainly desktop traffic and (2) a website that receives mainly

mobile traffic. Websites that receive mainly desktop traffic have most of their clicks

coming from IPs with small sizes. This is because typically only a handful of users

share the same IP address. As such, the IP size distribution is highly skewed toward

the left. However, websites receiving mainly mobile traffic have an IP size distribu-

tion exhibiting two distinct modes. This is because mobile users typically access

the Internet either through WiFi IP addresses, which have relatively small sizes, or

through large proxies of mobile carriers, which are shared by numerous users. In

general, different publishers have different IP size distributions depending on both

the type of their services and the type of traffic driven to their websites.

0.4

Desktop trac

Mobile trac

0.3

0.2

0.1

0 0

2

4

6

IP size

8

10 2

14

FIGURE 14.7

Two publishers with different IP size distributions.

Search WWH ::

Custom Search

Home