Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Slides:



Advertisements
Similar presentations
Traffic Dynamics at a Commercial Backbone POP Nina Taft Sprint ATL Co-authors: Supratik Bhattacharyya, Jorjeta Jetcheva, Christophe Diot.
Advertisements

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
Using Capability to prevent Internet Denial-of-Service attacks  Tom Anderson  Timothy Roscoe  David Wetherall  Offense Team –Khoa To –Amit Saha.
Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.
1 BGP Anomaly Detection in an ISP Jian Wu (U. Michigan) Z. Morley Mao (U. Michigan) Jennifer Rexford (Princeton) Jia Wang (AT&T Labs)
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.
 Well-publicized worms  Worm propagation curve  Scanning strategies (uniform, permutation, hitlist, subnet) 1.
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Traffic Engineering With Traditional IP Routing Protocols
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 End-to-End Detection of Shared Bottlenecks Sridhar Machiraju and Weidong Cui Sahara Winter Retreat 2003.
Measurement and Monitoring Nick Feamster Georgia Tech.
ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.
Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932
EL 933 Final Project Presentation Combining Filtering and Statistical Methods for Anomaly Detection Augustin Soule Kav´e SalamatianNina Taft.
Monitoring System Monitors Basics Monitor Types Alarms Actions RRD Charts Reports.
Design and Implementation of SIP-aware DDoS Attack Detection System.
Bandwidth DoS Attacks and Defenses Robert Morris Frans Kaashoek, Hari Balakrishnan, Students MIT LCS.
Using Argus Audit Trails to Enhance IDS Analysis Jed Haile Nitro Data Systems
On a New Internet Traffic Matrix (Completion) Problem
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Connect. Communicate. Collaborate A Network Security Service for GÉANT2 (and beyond….) Maurizio Molina, DANTE TNC 08, Brugges, 20 th May 2008.
Connect communicate collaborate Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina.
Session 2 Security Monitoring Identify Device Status Traffic Analysis Routing Protocol Status Configuration & Log Classification.
Dividing the Pizza An Advanced Traffic Billing System An Advanced Traffic Billing System Christopher Lawrence Burke The University of Queensland.
Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.
Using Measurement Data to Construct a Network-Wide View Jennifer Rexford AT&T Labs—Research Florham Park, NJ
DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.
Assuring Performance of Carrier-Class Networks and Enterprise Contact Centers SP-11: Ensuring Service Quality While Increasing Revenue February 4, 2009.
Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.
MonNet – a project for network and traffic monitoring Detection of malicious Traffic on Backbone Links via Packet Header Analysis Wolfgang John and Tomas.
Modeling Worms: Two papers at Infocom 2003 Worms Programs that self propagate across the internet by exploiting the security flaws in widely used services.
Learning Rules for Anomaly Detection of Hostile Network Traffic Matthew V. Mahoney and Philip K. Chan Florida Institute of Technology.
Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin In First Workshop on Hot Topics in Understanding Botnets,
Detection of Routing Loops and Analysis of Its Causes Sue Moon Dept. of Computer Science KAIST Joint work with Urs Hengartner, Ashwin Sridharan, Richard.
Trajectory Sampling for Direct Traffic Oberservation N.G. Duffield and Matthias Grossglauser IEEE/ACM Transactions on Networking, Vol. 9, No. 3 June 2001.
Open-Eye Georgios Androulidakis National Technical University of Athens.
1 Figure 10-4: Intrusion Detection Systems (IDSs) HOST IDSs  Protocol Stack Monitor (like NIDS) Collects the same type of information as a NIDS Collects.
Mining Anomalies in Network-Wide Flow Data Anukool Lakhina with Mark Crovella and Christophe Diot NANOG35, Oct 23-25, 2005.
Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina Mark Crovella Christophe Diot in ACM SIGCOMM 2005 Presented by: Sailesh Kumar.
PART3 Data collection methodology and NM paradigms 1.
ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.
Consensus Extraction from Heterogeneous Detectors to Improve Performance over Network Traffic Anomaly Detection Jing Gao 1, Wei Fan 2, Deepak Turaga 2,
Taming Internet Traffic Some notes on modeling the wild nature of OD flows Augustin Soule Kavé Salamatian Antonio Nucci Nina Taft Univ. Paris VI Sprintlabs.
EE515/IS523: Security 101: Think Like an Adversary Evading Anomarly Detection through Variance Injection Attacks on PCA Benjamin I.P. Rubinstein, Blaine.
1 Modeling, Early Detection, and Mitigation of Internet Worm Attacks Cliff C. Zou Assistant professor School of Computer Science University of Central.
1 Virtual Dark IP for Internet Threat Detection Akihiro Shimoda & Shigeki Goto Waseda University
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Effective Anomaly Detection with Scarce Training Data Presenter: 葉倚任 Author: W. Robertson, F. Maggi, C. Kruegel and G. Vigna NDSS
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.
1 Effective Diagnosis of Routing Disruptions from End Systems Ying Zhang Z. Morley Mao Ming Zhang.
1 CURELAN TECHNOLOGY Co., LTD Flowviewer FM-800A CURELAN TECHNOLOGY Co., LTD
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.
1 Monitoring: from research to operations Christophe Diot and the IP Sprintlabs ipmon.sprintlabs.com.
1 Netflow Collection and Aggregation in the AT&T Common Backbone Carsten Lund.
Intrusion Detection using Deep Neural Networks
Jian Wu (University of Michigan)
Network and Services Management
Data collection methodology and NM paradigms
Impact of Packet Sampling on Anomaly Detection Metrics
Northwestern Lab for Internet and Security Technology (LIST) Yan Chen Department of Computer Science Northwestern University.
Detection of Routing Loops and Analysis of Its Causes
Local Worm Detection using Honeypots Justin Miller Jan 25, 2007
Balancing Risk and Utility in Flow Trace Anonymization
Presentation transcript:

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot

3 Anomaly detection in large networks Anomaly detection is complex for large network Network-wide analysis [Lakhina 04] is promising Validated against multiple networks at different time –Abilene 03, Geant 04, Sprint Europe 03 Features impacting the anomaly detection are unknown yet Compare the anomaly observed between two networks

4 Using entropy for anomaly detection Hypothesis : the distribution changes during an anomaly Entropy is a measure of the dispersion of the distribution 1.Minimum if the distribution is concentrated 2.Maximum if the distribution is spread Four features 1.Source IP distribution 2.Destination IP distribution 3.Source Port distribution 4.Destination port distribution Normal During a DOS attack

5 Detecting anomalies Kalman filter method [Soule 05] Method Overview 1.Use a model to predict the traffic 2.Innovation = Prediction error High threshold avoid false positive

6 Collected dataset Abilene and Geant monitoring Collected three month of data 1.BGP 2.IS-IS 3.NetFlow Isolate twenty consecutive days of complete measurement Connected through two peering links SamplingTemporal aggregation Anonymization Abilene1/1005 min11 bits Geant1/ min0 bits

7 Abilene and Geant Use routing information to isolate 1.Traffic from Abilene to Geant 2.Traffic from Geant to Abilene Detect anomalies inside each dataset using the same threshold parameter, but different data- reduction parametes

8 58 anomalies 10 anomalies 14 anomalies 78 anomalies Anomalies detected Compare the anomalies sent versus the anomalies observed 1.Expected for G2A and A 2.Surprising for G and A2G Amount of traffic ? Sampling ? Anonymization ? Threshold ? Method ? Model ?

9 Undetected anomalies Examples of anomalies detected in a network but undetected in the other. 1.Impact of Sampling & Method 2.Impact of customer’s Traffic Mix 3.Impact of anonymization

10 Geant No spike Example 1 : attack over Port 22 Abilene Spike > 8σ Sampling affects the perception of anomaly The effect depends on the type of anomaly

11 Example 2 : Alpha Flow Destination IP entropy Abilene Large file transfer between two hosts Observed in Geant Undetectable in Abilene In this Abilene the traffic is already concentrated by Web traffic The anomaly detectability is impacted by traffic Geant

12 Example 3 : Scan over an IP subnet Attacker doing a subnet scan One source host Multiple destination hosts 1.Concentration of source IP 2.Dispersion of destination IP But we observe concentration in the Destination IP entropy Anonymization can : 1.Help to detect anomalies 2.Impact the anomaly identification

13 Summary First synchronized observation of two networks for anomaly detection Identification of various features impacting anomaly detection 1.Sampling 2.Traffic mix 3.Anonymization Two anomalies are impacted differently by each features What impacts detectability ?

Thanks for listening !

backup

16 Collecting data from two networks GEANT and Abilene connected through two peering links (nov. 05) 20 consecutive days of traffic and routing data from GEANT and Abilene Using a Kalman filter on the entropy of the distribution of IP and ports Entropy increase => spread of the distribution Entropy decrease => concentration in the distribution

17 What impacts the detection of anomalies ? Objective : Identify important elements that influence anomaly detection Understand the source of false negatives Idea : observe the same anomalies on different networks using the same method parameters

18 Previous work – Multiple methods detecting statistical traffic anomalies : o Anomaly a priori o Input data o Complexity o Model type No a priori Netflow records Low complexity Network-wide diagnosis

19 Impact of the anomymization (contd)

20 Power of Network-Wide Analysis Introduced by [Lakhina 04] and [Soule 05] Learn and use natural correlation between links to model expected behavior Pros : 1.Accurately detects small or distributed events 2.False positive rate typically 10% This paper : 1.Understand why some anomalies are not detected Still to be done : 1.“Automatic” method calibration

21 Attacker Victim Power of Network-Wide Analysis Learn and use the existing correlations between flows Attacker Peak rate: 300Mbps; Attack rate ~ 19Mbps/flow Attack found by methods; hard to manually isolate Traffic (# of bytes) Time Figures from [Lakhina 05]

22 Example 3 : Scan over an IP subnet Attacker doing a subnet scan One source host Multiple destination hosts 1.Concentration of source IP 2.Dispersion of destination IP But we observe concentration in the Destination IP entropy Anonymization can : 1.Help to detect anomalies 2.Impact the anomaly identification Source IP entropy Destination IP entropy

23 Two neighbor observation Differences can be explained by: Network Operation Center 1. Sampling rate 2. Anonymization 3. Anomaly detection threshold Customer’s traffic 1.Traffic mix

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.