Database Reference
In-Depth Information
14.6 RELATED WORK
This chapter is based on work on characterizing the behavior of IPs, traffic anomaly
detection, and detecting abusive clicks.
14.6.1 C haraCterizing the b ehavior oF iP s
The work discussed in this chapter complements the work on characterizing the
behavior of IPs [1,4,7,27,28]. The use of traceroute data and the geographic mappings
of IPs were explored in [7] to study the geographic properties of IP prefixes, while
[27,28] focused on identifying dynamic IPs for email spam filtering.
The work that is most related to estimating sizes of IPs deals with counting the
hosts behind NAT devices [1,4]. The work in [1] presented a technique for counting
the hosts behind a NAT using the IPid field. The technique relies on the host oper-
ating system sequentially incrementing the IPid field for each successive packet.
However, in the modern operating systems, IPid is not incremented sequentially.
The focus of [4] was identifying middle-boxes and classifying them as NAT devices
and proxies by learning the internal IPs of the hosts using active web content.
However, this technique underestimates the sizes by the ratio of users not collaborat-
ing with the research effort. It also fails if a NAT box has a hierarchy of NAT devices
behind it, where collisions, and hence underestimation can happen.
14.6.2 t raFFiC a nomaly D eteCtion
In the wide area of anomaly detection, [5] represents a recent survey on various cat-
egories of anomaly detection systems. The latter part of the work in this chapter falls
in the category of statistical anomaly detection, where an anomaly can be defined as
an observation that is extremely unlikely to have been generated by the probabilistic
model assumed. In [12], a histogram filter similar in spirit to the IP size histogram
filter is presented. The work discussed in this chapter differs from these two works
in both the problem scope and the approach used to measure deviations and compare
distributions.
14.6.3 D eteCting a busive C liCk t raFFiC
The work in [17] classifies the abusive click attacks based on the resources available
at the disposal of the attacker and based on her collaboration with other attackers. On
the other hand, the recent work [14] classifies defense mechanisms against abusive
clicks into three wide categories. Rule based approaches use a set of rules, often
manually set, to identify abusive click, based on the occurrence of specific patterns.
For instance, clicks to the same advertisement coming from the same IP at about the
same time. Anomaly-based approaches try to identify clicks that deviated from an
expected distribution. Finally, classifier-based approaches rely on machine learning
methods to label clicks based on the observed features value. The work on which
this chapter falls in the intersection of the last two categories. It uses anomaly-based
detection to identify deviation from the norm.
Search WWH ::




Custom Search