Is sampled data sufficient for anomaly detection?

Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC

Volumn , Issue , 2006, Pages 165-176

  Mai, Jianning ^a   Chuah, Chen Nee ^a   Sridharan, Ashwin ^b   Ye, Tao ^b   Zang, Hui ^b  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b Sprint Applied Research & Advanced Technology Labs California   (United States)

Author keywords

Anomaly detection; Portscan; Sampling; Volume anomaly

Indexed keywords

ANOMALY DETECTION; HYPOTHESES TESTING; TRAFFIC ACCOUNTING METHODS; TRAFFIC FEATURES;

ALGORITHMS; DATA REDUCTION; INTERNET PROTOCOLS; NETWORK MANAGEMENT; SAMPLING; TELECOMMUNICATION LINKS;

NETWORK SECURITY;

EID: 34547488856     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1177080.1177102     Document Type: Conference Paper

References (20)

1. Cisco IOS Software NetFlow. http://www.cisco.com/warp/public/732/Tech/ nmp/ netflow/. [2] Juniper Networks: JUNOS 7.2 Software Documentation. http://www.juniper.net/techpubs/software/junos/ junos72/index.html.
2. Snort, http://www.snort.org.
3. P. Barford, J. Kline, D. Plonka, and A. Ron. A Signal Analysis of Network Traffic Anomalies. In Proc. ACM SIGCOMM IMW'02, pages 71-82, Marseille, France, Nov. 2002.
4. P. Barford and D. Plonka. Characteristics of Network TRaffic Flow Anomalies. In Proc. ACM SIGCOMM IMW'01, pages 69-73, San Francisco, CA, USA, Nov. 2001.
5. B.-Y. Choi, J. Park, and Z.-L. Zhang. Adaptive R.andom Sampling for Traffic Load Measurement. In Proc. IEEE International Conference on Communications (ICC'03), Anchorage, Alaska, USA, May 2003.
6. N. Duffield. Sampling for Passive Internet Measurement: A Review. Statistical Science, 19(3):472-498, 2004.
7. N. Duffield, C. Lund, and M. Thorup. Properties and Prediction of Flow Statistics from Sampled Packet Streams. In Proc. ACM SIGCOMM IMW'02, Marseille, France, Nov. 2002.
8. N. Duffield, C. Lund, and M. Thorup. Estimating Flow Distributions from Sampled Flow Statistics. In Proc. ACM SIGCOMM'03, Karlsruhe, Germany, Aug. 2003.
9. C. Estan, K. Keys, D. Moore, and G. Varghese. Building a Better NetFlow. In Proc. of SIGCOMM'04, Portland, Oregon, USA, Aug. 2004.
10. C. Estan and G. Varghese. New Directions in Traffic Measurement and Accounting. In Proc. of SIGCOMM'02, Pittsburgh, Pennsylvania, USA, Aug. 2002.
11. C. Fraleigh, S. Moon, B. Lyles, C. Cotton, M. Khan, D. Moll, R. Rockell, T. Seely, and C. Diot. Packet-Level Traffic Measurements from the Sprint IP Backbone. IEEE Network, 17(6):6-16, November/December 2003.
12. N. Hohn and D. Veitch. Inverting Sampled Traffic. In Proc. ACM SIGCOMM IMC'03, Miami Beach, Florida, USA, Oct. 2003.
13. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In Proc. of 2004 IEEE Symposium on Security and Privacy, Oakland, CA, USA, May 2004.
14. B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen. Sketch-based Change Detection: Methods, Evaluation, and Applications. In Proc. ACM SIGCOMM IMCOS, Miami Beach, Florida, USA, Oct. 2003.
15. A. Lakhina, M. Crovella, and C. Diot. Mining Anomalies Using Traffic Feature Distributions. In Proc. ACM SIGCOMM '05, Philadelphia, PA, USA, Aug. 2005.
16. J. Mai, A. Sridharan, C.-N. Chuah, T. Ye, and H. Zang. Impact of Packet Sampling on Portscan Detection. Technical Report RR06-ATL-043166, Sprint ATL, 2006. (accepted by IEEE JSAC Special Issue on Sampling the Internet).
17. M. Roesch. Snort - Lightweight Intrusion Detection for Networks. In Proc. 1999 USENIX LISA Conference, Seattle, WA, USA, Nov. 1999.
18. A. Sridharan, T. Ye, and S. Bhattacharyya. Connection Port Scan Detection on the Backbone. In Malware Workshop held in conjunction with IPCC, Phoenix, Arizona, USA, April 2006.
19. S. Staniford, J. A. Hoagland, and J. M. McAlerney. Practical automated detection of stealthy portscans. Journal of Computer Security, 10:105-136, 2002.
20. M. Thottan and C. Ji. Anomaly Detection in IP Networks. IEEE Trans, on Signal Processing, 51(8):2191-2204, Aug. 2003.