Detecting Hidden User Behavior for Network Data Stream

Since hidden user behavior deliberately does not send packets during some time slots, it can easily evade such detection of traditional long-duration flow. To this end, we propose detection of hidden user behavior for network data stream (DUB). The main advantage of our approach is that it can use a flow persistence metric to detect hidden user behavior by a novel data structure. It only takes some simple computing and sets one bit for each sampled flow. Moreover, it can accurately estimate persistence of each flow. Hidden user behavior is detected using the estimated flow persistence by probabilistic counting approach efficiently. Our approach mainly consists of packet preprocessing, flow sampling, persistence estimating, persistent flow detecting. The experiments are conducted on the real network traffic and the testing results show that the proposed method outperforms the related ones in terms of estimation accuracy, detection accuracy and time overhead.