A traffic regulation method based on MRA signatures to reduce unwanted traffic from compromised end-user machines

Abstract

Compromised end-user machines are an important source of the unwanted traffic that traverses the Internet. These machines have typically installed in them malicious software that misuses their network resources. Thereby, the packet streams that a compromised machine sends out consists of legitimate and unwanted packets. In this work, we present a traffic regulation method that limits the number of unwanted packets that such machines send to the Internet. The method operates on the time-series representation of a packet stream and it examines the "burstiness" instead of the rate of packets. The method filters out packets from this stream using signatures produced with wavelet-based multi-resolution analysis, along with a similarity measure. We evaluate the proposed method with real traffic traces (i.e., Domain Name System queries from legitimate end-users and e-mail worms) and compare it with a rate limiting method. We show that the method limits the amount of unwanted traffic that a compromised end-user machine sends to the Internet while it has, compared to the rate limiting method, a lower number of legitimate packet drops. © Springer-Verlag Berlin Heidelberg 2012.