Impact of Packet Sampling on Anomaly Detection Metrics

Slides:

Advertisements

Similar presentations

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

Advertisements

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

ABSTRACT We consider the problem of computing information theoretic functions such as entropy on a data stream, using sublinear space. Our first result.

Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,

FLAME: A Flow-level Anomaly Modeling Engine

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Observed Structure of Addresses in IP Traffic CSCI 780, Fall 2005.

Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.

Dynamics of Hot-Potato Routing in IP Networks Renata Teixeira (UC San Diego) with Aman Shaikh (AT&T), Tim Griffin(Intel),

1 An Information-theoretic Approach to Network Measurement and Monitoring Yong Liu, Don Towsley, Tao Ye, Jean Bolot.

1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

Network Monitoring School of Electronics and Information Kyung Hee University. Choong Seon HONG Selected from ICAT 2003 Material of James W. K. Hong.

Coarse-Grained Traffic Analysis in ISP Networks A Router-Based Approach Christian Martin Verizon.

Connect. Communicate. Collaborate A Network Security Service for GÉANT2 (and beyond….) Maurizio Molina, DANTE TNC 08, Brugges, 20 th May 2008.

A Statistical Anomaly Detection Technique based on Three Different Network Features Yuji Waizumi Tohoku Univ.

Brief Announcement: Spoofing Prevention Method Anat Bremler-Barr Hanoch Levy computer science computer science Interdisciplinary Center Herzliya Tel-Aviv.

Anomaly Detection Studies in the IP Backbone Tao Ye Sprint Burlingame, CA

Differences between In- and Outbound Internet Backbone Traffic Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering Chalmers University.

Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

POSTECH DP&NM Lab. Internet Traffic Monitoring and Analysis: Methods and Applications (1) 5. Passive Monitoring Techniques.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.

Aditya Akella The Performance Benefits of Multihoming Aditya Akella CMU With Bruce Maggs, Srini Seshan, Anees Shaikh and Ramesh Sitaraman.

Heuristics to Classify Internet Backbone Traffic based on Connection Patterns Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering.

Optimal XOR Hashing for a Linearly Distributed Address Lookup in Computer Networks Christopher Martinez, Wei-Ming Lin, Parimal Patel The University of.

DoS attacks on transit network - David Harmelin ( ) Denial of Service attacks on transit networks David Harmelin DANTE.

Jennifer Rexford Princeton University MW 11:00am-12:20pm Measurement COS 597E: Software Defined Networking.

Is Sampled Data Sufficient for Anomaly Detection Ip Wing Chung Peter ( ) Ngan Sze Chung ( )

Online Identification of Hierarchical Heavy Hitters Yin Zhang Joint work with Sumeet SinghSubhabrata Sen Nick DuffieldCarsten Lund.

Open-Eye Georgios Androulidakis National Technical University of Athens.

1 Capacity Dimensioning Based on Traffic Measurement in the Internet Kazumine Osaka University Shingo Ata (Osaka City Univ.)

Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina Mark Crovella Christophe Diot in ACM SIGCOMM 2005 Presented by: Sailesh Kumar.

IP addresses IPv4 and IPv6. IP addresses (IP=Internet Protocol) Each computer connected to the Internet must have a unique IP address.

Distributed Denial-of-Service Attack Detection (and Mitigation?) Mukesh Agarwal, Aditya Akella, Ashwin Bharambe.

Bradley Cowie Supervised by Barry Irwin Security and Networks Research Group Department of Computer Science Rhodes University DATA CLASSIFICATION FOR CLASSIFIER.

Net Flow Network Protocol Presented By : Arslan Qamar.

ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.

Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,

Taming Internet Traffic Some notes on modeling the wild nature of OD flows Augustin Soule Kavé Salamatian Antonio Nucci Nina Taft Univ. Paris VI Sprintlabs.

EE515/IS523: Security 101: Think Like an Adversary Evading Anomarly Detection through Variance Injection Attacks on PCA Benjamin I.P. Rubinstein, Blaine.

DDoS flooding attack detection through a step-by-step investigation

1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University

1 ISMA Backbone Traffic Inference MAKE SYSTEMS THE NETWORK RESOURCE PLANNING COMPANY ISP Backbone Traffic Inference Methods to Support Traffic Engineering.

2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.

Transport layer identification of P2P traffic Victor Gau Yi-Hsien Wang

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

1 Minneapolis‘ IETF IPFIX Aggregation draft-dressler-ipfix-aggregation-00.txt.

REU 2009-Traffic Analysis of IP Networks Daniel S. Allen, Mentor: Dr. Rahul Tripathi Department of Computer Science & Engineering Data Streams Data streams.

Survey of Ad Hoc Network Routing Protocols Team Adhocracy Presentation 4 – May 10, 2007 Jason Winnebeck Benjamin Willis Travis Thomas.

NET 536 Network Security Firewalls and VPN

Data Streaming in Computer Networking

Lightweight Application Classification for Network Management

Worm Origin Identification Using Random Moonwalks

DDoS Attack Detection under SDN Context

Balancing Risk and Utility in Flow Trace Anonymization

Title of Your Paper Names of Co-Authors

Transport Layer Identification of P2P Traffic

A flow aware packet sampling mechanism for high speed links

NET 323D: Networks Protocols

Unconstrained Endpoint Profiling (Googling the Internet)‏

Presentation transcript:

Impact of Packet Sampling on Anomaly Detection Metrics Daniela Brauckhoff*, Bernhard Tellenbach*, Arno Wagner*, Anukool Lakhina **, Martin May* *ETH Zurich, ** Boston University IMC '06 Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. New York, NY, USA 2006 Citations: 226 Otto

Motivation The general opinion about sampling Valuable information lost Needed anyway Size constraints Cannot get unsampled netflow from some routers Interesting questions arise: How much information is actually lost? Are all anomalies equally affected by sampling? Are all detection metrics equally affected by sampling? At which sampling rate is a certain anomaly still detectable? Can we estimate the original anomaly size from a sampled view? Otto

Article Goal Dataset Study impact of packet sampling on Blaster worm Visibility Anomaly detection metrics Bytes Packets Flows Traffic Features Others Dataset Unsampled Netflow records One week capture Backbone router of a national ISP Known Blaster outbreak in data Otto

Article Goal Dataset Study impact of packet sampling on Blaster worm Visibility Anomaly detection metrics Bytes Packets Flows Traffic Features Others Dataset Unsampled Netflow records One week capture Backbone router of a national ISP Known Blaster outbreak in data Otto

Entropy as a Detection Metric Otto

Entropy as a Detection Metric Otto

Entropy as a Detection Metric Otto

Used variables Otto

Sampling Metodology For individual packets in the flow trace, determine Packet size (bytes) packet_size = flow_size/num_packets (average packet size) Timestamps timestamp randomly chosen within flow bounds Randomly sample every 10th 100th 250th 1000th Otto

Baseline Metodology One baseline per metric and sampling rate AD algorithms measure distance from (predicted) baseline to (actual) observed metrics Each AD method uses it’s own algorithm to determine the baseline model Anomaly is known Construction of an “ideal baseline” By removing all blaster packets from the observed trace destination port: TCP 135 Length: 40, 44, 48 bytes Otto

Baseline Metodology Otto

Sampling Baseline flow counts Flow counts Otto

Sampling Baseline flow dst IP entropy Flow dst IP entropy Otto

Sampling Comparison Otto

Baselines Otto

Anomaly Distance Otto

Distance vs Sampling Rate: During Attack Otto

Scaling Metodology Identification of Blaster packets based on dst port, packet size, tcp Amplification of the Blaster worm Insertion of new packets Same src IP, and dst IP Random selection from SWITCH IP range Attenuation of the Blaster worm Randomly throwing out of some of the Blaster packets Otto

Scaling Otto

Scaling Otto

Conclusion Some metrics are more resilient to sampling Future work Flow DST IP entropy is most resilient for Blaster Future work Other types of anomalies, anomaly intensities Other distance metrics Different bin sizes Further anomaly metrics Anomaly detectability at different sampling rates Otto