A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002.

Slides:

Advertisements

Similar presentations

Sketch-based Change Detection Balachander Krishnamurthy (AT&T) Subhabrata Sen (AT&T) Yin Zhang (AT&T) Yan Chen (UCB/AT&T) ACM Internet Measurement Conference.

Advertisements

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Internet Measurement Initiatives in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

1 Network Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.

Monitoring a Large-Scale Network: Selecting the Right Tool Sayadur Rahman United International University & Network Manager, Financial Service.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Modeling Network Traffic as Images Seong Soo Kim and A. L. Narasimha Reddy Computer Engineering Department of Electrical Engineering Texas A&M University.

1 Controlling High Bandwidth Aggregates in the Network.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Network Traffic Measurement and Modeling CSCI 780, Fall 2005.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Copyright © 2005 Department of Computer Science CPSC 641 Winter Network Traffic Measurement A focus of networking research for 20+ years Collect.

ANOMALY DETECTION AND CHARACTERIZATION: LEARNING AND EXPERIANCE YAN CHEN – MATT MODAFF – AARON BEACH.

Network Monitoring for Internet Traffic Engineering Jennifer Rexford AT&T Labs – Research Florham Park, NJ 07932

EL 933 Final Project Presentation Combining Filtering and Statistical Methods for Anomaly Detection Augustin Soule Kav´e SalamatianNina Taft.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

Monitoring System Monitors Basics Monitor Types Alarms Actions RRD Charts Reports.

Simple Comparison By Akhyari Nasir. Intro  Network monitoring and measurement have become more and more important in a modern complicated network. 

Understanding Network Failures in Data Centers: Measurement, Analysis and Implications Phillipa Gill University of Toronto Navendu Jain & Nachiappan Nagappan.

Performance Management (Best Practices) REF: Document ID

Lecture 11 Intrusion Detection (cont)

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Hands-On Microsoft Windows Server 2008 Chapter 11 Server and Network Monitoring.

CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server Objectives Understand the importance of server monitoring Monitor server.

Windows Server 2008 Chapter 11 Last Update

1.  TCP/IP network management model: 1. Management station 2. Management agent 3. Management information base 4. Network management protocol 2.

Sven Ubik, CESNET TNC2004, Rhodos, 9 June 2004 Performance monitoring of high-speed networks from NREN perspective.

NetfFow Overview SANOG 17 Colombo, Sri Lanka. Agenda Netflow –What it is and how it works –Uses and Applications Vendor Configurations/ Implementation.

Performance Management (Best Practices) REF: Document ID

Network Flow-Based Anomaly Detection of DDoS Attacks Vassilis Chatzigiannakis National Technical University of Athens, Greece TNC.

Shannon Lab 1AT&T – Research Traffic Engineering with Estimated Traffic Matrices Matthew Roughan Mikkel Thorup

SIGCOMM 2002 New Directions in Traffic Measurement and Accounting Focusing on the Elephants, Ignoring the Mice Cristian Estan and George Varghese University.

IP Flow Measurement & Analysis with FlowScan IPAM Workshop, Los Angeles, March 21, 2002 Dave Plonka Division of Information Technology,

1 The Research on Analyzing Time- Series Data and Anomaly Detection in Internet Flow Yoshiaki HARADA Graduate School of Information Science and Electrical.

Source-End Defense System against DDoS attacks Fu-Yuan Lee, Shiuhpyng Shieh, Jui-Ting Shieh and Sheng Hsuan Wang Distributed System and Network Security.

NetFlow: Digging Flows Out of the Traffic Evandro de Souza ESnet ESnet Site Coordinating Committee Meeting Columbus/OH – July/2004.

DoWitcher: Effective Worm Detection and Containment in the Internet Core S. Ranjan et. al in INFOCOM 2007 Presented by: Sailesh Kumar.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Copyright © 2003 OPNET Technologies, Inc. Confidential, not for distribution to third parties. Session 1341: Case Studies of Security Studies of Intrusion.

CINBAD CERN/HP ProCurve Joint Project on Networking 26 May 2009 Ryszard Erazm Jurga - CERN Milosz Marian Hulboj - CERN.

Open-Eye Georgios Androulidakis National Technical University of Athens.

Flow Aware Packet Sampling

Boundary Detection in Tokenizing Network Application Payload for Anomaly Detection Rachna Vargiya and Philip Chan Department of Computer Sciences Florida.

Interpreting Network Traffic Flows Bill Jensen, Paul Nazario and Perry Brunelli.

Standards Activities on Traffic Measurement. 2 Outline Applications requiring traffic measurement Packet capturing and flow measurement Existing protocols.

Cristian Estan, Garret Magin University of Wisconsin-Madison USENIX LISA, 17 December 2015 Interactive traffic analysis and visualization with Wisconsin.

Net Flow Network Protocol Presented By : Arslan Qamar.

ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.

Measurement in the Internet Measurement in the Internet Paul Barford University of Wisconsin - Madison Spring, 2001.

RMON 1. RMON is a set of standardized MIB variables that monitor networks. Even if RMON initially referred to only the RMON MIB, the term RMON now is.

Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.

Performance Management (Best Practices) REF: Document ID

Distinguishing humans from robots in web search logs preliminary results using query rates and intervals Omer Duskin Dror G. Feitelson School of Computer.

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering.

1 Internet Traffic Measurement and Modeling Carey Williamson Department of Computer Science University of Calgary.

March 22, 2010IETF 77 – Anaheim, USA1 A method for IP multicast performance monitoring draft-cociglio-mboned-multicast-pm-00 Alessandro Capello Luca Castaldelli.

Distributed Network Monitoring in the Wisconsin Advanced Internet Lab Paul Barford Computer Science Department University of Wisconsin – Madison Spring,

Some Great Open Source Intrusion Detection Systems (IDSs)

Lec 5: SNMP Network Management

Network and Services Management

Network Administration CNET-443

Network Monitoring System

DDoS Attack Detection under SDN Context

Chapter 8: Monitoring the Network

Presentation transcript:

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Summer, 2002

2 Motivation Traffic anomalies are a fact of life in computer networks –Outages, attacks, etc… Anomaly detection and identification is challenging –Operators typically monitor by eye using SNMP or IP flows Obviously, this does not scale! –Simple thresholding is ineffective –Some anomalies are obvious, other are not Characteristics of anomalous behavior in IP traffic are not well understood –Do same types of anomalies have same characteristics? –Can characteristics be effectively used in detection systems?

3 Introduction Objective: Improve our understanding network traffic anomalies Approach: Wavelet analysis of data set that includes IP flow data, SNMP data and a catalog of observed anomalies Method: Integrated Measurement Analysis Platform for Internet Traffic (IMAPIT) Results: We demonstrate how anomalies can be exposed using wavelets and develop new method for exposing short-lived events

4 Related Work Network traffic characterization –Eg. Caceres89, Leland93, Paxson97, Zhang01 Focus on typical behavior –Abry98 use wavelets to analyze LRD traffic Fault and anomaly detection techniques –Eg. Feather93, Brutlag00 Focus on thresholds and time series models –Eg. Paxson99 Rule based tool for intrusion detection –Eg. Moore01 Backscatter technique can be used to identify DoS attacks –Eg. Huang01 Wavelet-based approach to detecting network performance problems

5 Simple Network Management Protocol SNMP is the standard protocol for monitoring/managing networked systems SNMP defines a set of MIB (management information base) data exported from routers –RFC2863 We sample High Capacity Interface using MRTG (Multi-Router Traffic Grapher) at 5 minute intervals –Archive byte and packet traffic in each direction –64-bit counters on each of 15 WAN links SNMP count precision is yet to be determined…

6 IP Flows An IP Flow is defined as a unidirectional series of packets between source/dest IP/port pair over a period of time –Exported by Lightweight Flow Accounting Protocol (LFAP) enabled routers (Cisco’s NetFlow, Juniper cflowd flow export) We use FlowScan [Plonka00] to collect and post-process IP flow data collected at 5 minute intervals –Combines flow collection engine, database, visulaization tool –Provides a near real-time visualization of network traffic –Breaks down traffic into well known service or application {SRC_IP/Port,DST_IP/Port,Pkts,Bytes,Start/End Time,TCP Flags,IP Prot …}

7

8 Our Approach to Data Gathering Consider anomalies in IP flow and SNMP data –Collected at UW border router (Juniper M10) –Archive of ~6 months worth of data (packets, bytes, flows) –Includes catalog of anomalies (after-the-fact analysis) Group observed anomalies into four categories –Network anomalies (41) Steep drop offs in service followed by quick return to normal behavior –Flash crowd anomalies (4) Steep increase in service followed by slow return to normal behavior –Attack anomalies (46) Steep increase in flows in one direction followed by quick return to normal behavior –Measurement anomalies (18) Short-lived anomalies which are not network anomalies or attacks

9 Our Approach to Analysis Wavelets provide a means for describing time series data that considers both frequency and time –Particularly useful for characterizing data with sharp spikes and discontinuities More robust than Fourier analysis which only shows what frequencies exist in a signal –Tricky to determine which wavelets provide best resolution of signals in data We use tools developed at UW which together make up IMAPIT –FlowScan software –The IDR Framenet software

10 Our Wavelet System After evaluating different candidates we selected a wavelet system called Pseudo Splines(4,1) Type 2. –A framelet system developed by Daubechies et al. ‘00 –Very good frequency localization properties Three output signals are extracted from input –Low Frequency (L): synthesis of all wavelet coefficients from level 9 and up –Mid Frequency (M): synthesis of wavelet coefficients 6, 7, 8 –High Frequency (H): synthesis of wavelet coefficients 1 to 5 Thresholding (set to zero all coefficients whose absolute value is below a threshold) is used on these coefficients

11 Ambient IP Flow Traffic

12 Ambient SNMP Traffic

13 Byte Traffic for Flash Crowd

14 Average Packet Size for Flash Crowd

15 Flow Traffic During DoS Attacks

16 Byte Traffic During Measurement Anomalies

17 Anomaly Detection via Deviation Score We develop an automated means for identifying short- lived anomalies based on variability in H and M signals 1.Compute local variability (using specified window) of H and M parts of signal 2.Combine local variability of H and M signals (using a weighted sum) and normalize by total variability to get deviation score V 3.Apply threshold to V then measure peaks Our analysis shows that V peaks over 2.0 indicate short-lived anomalies with high confidence –We threshold at V = 1.25 and set window size to ~3 hours

18 Deviation Score for Three Anomalies

19 Deviation Score for Network Outage

20 Anomalies in Aggregate Signals

21 Hidden Anomalies in Low Frequency

22 Deviation Score Evaluation How effective is deviation score at detecting anomalies? –Compare versus set of 39 anomalies Set is unlikely to be complete so we don’t treat false-positives –Compare versus Holt-Winters Forecasting Sophisticated time series technique Requires some configuration Holt-Winters reported many more positives and sometimes oscillated between values Total Candidate Anomalies Candidates detected by Deviation Score Candidates detected by Holt-Winters

23 Conclusion and Next Steps We present an evaluation of signal characteristics of network traffic anomalies –Using IP flow and SNMP data collected at UW border router 106 anomalies have been grouped into four categories –IMAPIT developed to apply wavelet analysis to data –Deviation score developed to automate anomaly detection Results –Characteristics of anomalies exposed using different filters and data –Deviation score is effective detection method Future –Development of anomaly classification methods –Application of results in (distributed) detection systems