What'sGoingOn? LearningCommunicationRulesIn EdgeNetworks

Existing trac analysis tools focus on trac volume. ˆey ide ntify theheavy-hitters—�owsthatexchangehighvolumesofdata,yet fail toidentifythestructureimplicitinnetworktrac—docert ainows happen before, aer or along with each other repeatedly over time? Sincemosttracisgeneratedbyapplications(webbrowsing , email, p2p), network trac tends to be governed by a set of underlyin g rules. Malicious trac such as network-wide scans for vulnerable hosts (mySQLbot) also presents distinct patterns. WepresenteXpose, atechniquetolearn the underlyingrulesthat govern communication over a network. From packet timing infor- mation, eXpose learns rules for network communication that may be spread across multiple hosts, protocols or applications. Our key contribution is a novel statistical rule mining technique to extract signicantcommunicationpatternsinapackettracewithoutexplic- itly being told what to look for. Going beyond rules involvingow pairs, eXpose introduces templates to systematically abstract away parts ofows thereby capturing rules that are otherwise unidenti�- able. Deploymentswithinourlabandwithinalargeenterpriseshow that eXpose discovers rules that help with network monitoring, di- agnosis, and intrusion detection with few false positives.