Using complex network theory for temporal locality in network traffic flows

Abstract Monitoring the interaction behaviors of network traffic flows and detecting unwanted Internet applications and anomalous flows have become more challenging, since many applications obfuscate their network flow by using unregistered port numbers or payload encryption. In this paper, the temporal locality complex network model–TLCN is proposed as a way to monitor, analyze and visualize network flows. In TLCN, the TLCN node/edge filtering mechanisms are provided to describe the interactions of different levels of flows, and a method of temporal locality window determination is designed for constructing an effective TLCN structure to flow interactions. Then, the statistical cha racteristics and dynamic behaviors of the TLCNs are studied to represent the ability of structure representing of TLCN to flow interactions. According to the analysis of TLCN statistical characteristics with different Internet applications, we found that the weak interaction flows prefer to form the small-world TLCN and the strong interaction flows prefer to the scale-free. In the studies of anomaly behaviors of TLCNs, the structure of attacked TLCNs can have a remarkable feature for three attack patterns, and the evolution of TLCNs exhibits a good consistency between TLCN structure and attack process. With the findings of TLCNs, we could develop novel methods for traffic classification and traffic anomaly detection based on flow interaction behaviors.