Presentation is loading. Please wait.

Presentation is loading. Please wait.

Impact of Packet Sampling on Anomaly Detection Metrics

Published byΣωσιγένης Μητσοτάκης Modified over 6 years ago

Similar presentations

Presentation on theme: "Impact of Packet Sampling on Anomaly Detection Metrics"— Presentation transcript:

1 Impact of Packet Sampling on Anomaly Detection Metrics
Daniela Brauckhoff*, Bernhard Tellenbach*, Arno Wagner*, Anukool Lakhina **, Martin May* *ETH Zurich, ** Boston University IMC '06 Proceedings of the 6th ACM SIGCOMM conference on Internet measurement. New York, NY, USA 2006 Citations: 226 Otto

2 Motivation The general opinion about sampling
Valuable information lost Needed anyway Size constraints Cannot get unsampled netflow from some routers Interesting questions arise: How much information is actually lost? Are all anomalies equally affected by sampling? Are all detection metrics equally affected by sampling? At which sampling rate is a certain anomaly still detectable? Can we estimate the original anomaly size from a sampled view? Otto

3 Article Goal Dataset Study impact of packet sampling on Blaster worm
Visibility Anomaly detection metrics Bytes Packets Flows Traffic Features Others Dataset Unsampled Netflow records One week capture Backbone router of a national ISP Known Blaster outbreak in data Otto

4 Article Goal Dataset Study impact of packet sampling on Blaster worm
Visibility Anomaly detection metrics Bytes Packets Flows Traffic Features Others Dataset Unsampled Netflow records One week capture Backbone router of a national ISP Known Blaster outbreak in data Otto

5 Entropy as a Detection Metric
Otto

6 Entropy as a Detection Metric
Otto

7 Entropy as a Detection Metric
Otto

8 Used variables Otto

9 Sampling Metodology For individual packets in the flow trace, determine Packet size (bytes) packet_size = flow_size/num_packets (average packet size) Timestamps timestamp randomly chosen within flow bounds Randomly sample every 10th 100th 250th 1000th Otto

10 Baseline Metodology One baseline per metric and sampling rate
AD algorithms measure distance from (predicted) baseline to (actual) observed metrics Each AD method uses it’s own algorithm to determine the baseline model Anomaly is known Construction of an “ideal baseline” By removing all blaster packets from the observed trace destination port: TCP 135 Length: 40, 44, 48 bytes Otto

11 Baseline Metodology Otto

12 Sampling Baseline flow counts Flow counts Otto

13 Sampling Baseline flow dst IP entropy Flow dst IP entropy Otto

14 Sampling Comparison Otto

15 Baselines Otto

16 Anomaly Distance Otto

17 Distance vs Sampling Rate: During Attack
Otto

18 Scaling Metodology Identification of Blaster packets based on
dst port, packet size, tcp Amplification of the Blaster worm Insertion of new packets Same src IP, and dst IP Random selection from SWITCH IP range Attenuation of the Blaster worm Randomly throwing out of some of the Blaster packets Otto

19 Scaling Otto

20 Scaling Otto

21 Conclusion Some metrics are more resilient to sampling Future work
Flow DST IP entropy is most resilient for Blaster Future work Other types of anomalies, anomaly intensities Other distance metrics Different bin sizes Further anomaly metrics Anomaly detectability at different sampling rates Otto

Download ppt "Impact of Packet Sampling on Anomaly Detection Metrics"

Similar presentations

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.
New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.

New Directions in Traffic Measurement and Accounting Cristian Estan – UCSD George Varghese - UCSD Reviewed by Michela Becchi Discussion Leaders Andrew.
ABSTRACT We consider the problem of computing information theoretic functions such as entropy on a data stream, using sublinear space. Our first result.

ABSTRACT We consider the problem of computing information theoretic functions such as entropy on a data stream, using sublinear space. Our first result.
Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.

Estimating TCP Latency Approximately with Passive Measurements Sriharsha Gangam, Jaideep Chandrashekar, Ítalo Cunha, Jim Kurose.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.

Fast, Memory-Efficient Traffic Estimation by Coincidence Counting Fang Hao 1, Murali Kodialam 1, T. V. Lakshman 1, Hui Zhang 2, 1 Bell Labs, Lucent Technologies.
Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.

Centre de Comunicacions Avançades de Banda Ampla (CCABA) Universitat Politècnica de Catalunya (UPC) Identification of Network Applications based on Machine.
Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,

Evaluation of Header Field Entropy for Hash-Based Packet Selection Evaluation of Header Field Entropy for Hash-Based Packet Selection Christian Henke,
FLAME: A Flow-level Anomaly Modeling Engine

FLAME: A Flow-level Anomaly Modeling Engine
Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.

Worm Origin Identification Using Random Moonwalks Yinglian Xie, V. Sekar, D. A. Maltz, M. K. Reiter, Hui Zhang 2005 IEEE Symposium on Security and Privacy.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Observed Structure of Addresses in IP Traffic CSCI 780, Fall 2005.

Observed Structure of Addresses in IP Traffic CSCI 780, Fall 2005.
Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.

Beneficial Caching in Mobile Ad Hoc Networks Bin Tang, Samir Das, Himanshu Gupta Computer Science Department Stony Brook University.
On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.

On the Constancy of Internet Path Properties Yin Zhang, Nick Duffield AT&T Labs Vern Paxson, Scott Shenker ACIRI Internet Measurement Workshop 2001 Presented.
Dynamics of Hot-Potato Routing in IP Networks Renata Teixeira (UC San Diego) with Aman Shaikh (AT&T), Tim Griffin(Intel),

Dynamics of Hot-Potato Routing in IP Networks Renata Teixeira (UC San Diego) with Aman Shaikh (AT&T), Tim Griffin(Intel),
1 An Information-theoretic Approach to Network Measurement and Monitoring Yong Liu, Don Towsley, Tao Ye, Jean Bolot.

1 An Information-theoretic Approach to Network Measurement and Monitoring Yong Liu, Don Towsley, Tao Ye, Jean Bolot.
1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.

1 An Information Theoretic Approach to Network Trace Compression Y. Liu, D. Towsley, J. Weng and D. Goeckel.
A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.

A Signal Analysis of Network Traffic Anomalies Paul Barford, Jeffrey Kline, David Plonka, and Amos Ron.
1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.

1 Network-based Intrusion Detection, Mitigation and Forensics System Yan Chen Department of Electrical Engineering and Computer Science Northwestern University.
R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

R 18 G 65 B 145 R 0 G 201 B 255 R 104 G 113 B 122 R 216 G 217 B 218 R 168 G 187 B 192 Core and background colors: 1© Nokia Solutions and Networks 2014.

Similar presentations

Ads by Google