On Mitigating sampling-induced accuracy loss in traffic anomaly detection systems

Computer Communication Review

Volumn 40, Issue 3, 2010, Pages 4-16

  Ali, Sardar ^a   Ul Haq, Irfan ^a   Rizvi, Sajjad ^a   Rasheed, Naurin ^a   Sarfraz, Unum ^a   Khayam, Ali ^a   Mirza, Fauzan ^a  

^a NATIONAL UNIVERSITY OF SCIENCES AND TECHNOLOGY NUST   (Pakistan)

Author keywords

Anomaly detection; Denial of service (DoS); Packet sampling; Portscan

Indexed keywords

ACCURACY LOSS; ANOMALY DETECTION; ANOMALY DETECTION SYSTEMS; ANOMALY DETECTOR; COMMUNICATION OVERHEADS; DATA SETS; DENIAL OF SERVICE; IN-LINE; INTERNET TRAFFIC; INTRUSION DETECTION ALGORITHMS; LOW COMPLEXITY; MALICIOUS PACKETS; MALICIOUS TRAFFIC; NEXT-HOP; PACKET SAMPLING; PORTSCAN; RANDOM SAMPLING; REALISTIC CONDITIONS; SAMPLED PACKET; SAMPLING RATES; SECURITY-AWARE; TRAFFIC ANALYSIS; TRAFFIC ANOMALIES;

ALGORITHMS; DATA PROCESSING; INTRUSION DETECTION; REAL TIME SYSTEMS;

DETECTORS;

EID: 78649866466     PISSN: 01464833     EISSN: 01464833     Source Type: Conference Proceeding    
DOI: 10.1145/1823844.1823846     Document Type: Conference Paper

References (36)

1. M. S. Kim, H. J. Kang, S. C. Hung, S. H. Chung, and J. W. Hong, A Flow-based Method for Abnormal Network Traffic Detection," IEEE/IFIP NOMS, 2004.
2. A. Lakhina, M. Crovella, and C. Diot, "Mining Anomalies Using Traffic Feature Distributions," ACM SIGCOMM, 2005.
3. Cisco Anomaly Guard Module Homepage, www.cisco.com/en/US/products/ps6235/ .
4. Arbor Networks Peakflow-X Homepage, http://www.arbornetworks.com/en/ peakflow-x.html.
5. Endace NinjaBox Homepage, http://www.endace.com/ninjabox.html.
6. FireEye Homepage, http://www.fireeye.com/.
7. B. Y. Choi, J. Park, and Z. L. Zhang, Adaptive random sampling for total load estimation," IEEE ICC, 2003.
8. N. Duffield, C. Lund, and M. Thorup, Properties and prediction of flow statistics from sampled packet streams," ACM IMC, 2002.
9. N. Duffield, C. Lund, and M. Thorup, Estimating Flow Distributions from Sampled Flow Statistics," ACM SIGCOMM, 2003.
10. N. Hohn and D. Veitch, "Inverting Sampled Traffic," ACM IMC, 2003.
11. J. Mai, A. Sridharan, C. N. Chuah, H. Zang, and T. Ye, "Impact of packet sampling on portscan detection," IEEE J. SAC, 24(12):2285-2298, 2006.
12. J. Mai, C. N. Chuah, A. Sridharan, T. YE, and H. Zang, "Is sampled data sufficient for anomaly detection?" ACM IMC, 2006.
13. G. Androulidakis, V. Chatzigiannakis, S. Papavassiliou, M. Grammatikou, V. Maglaris, "Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques," IEEE MILCOM, 2006.
14. D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, A. Lakhina, "Impact of Packet Sampling on Anomaly Detection Metrics," ACM IMC, 2006.
15. Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, "PacketScore: Statistics-based Overload Control against Distributed Denial-of-Service Attacks," IEEE INFOCOM, 2004.
16. P. E. Ayres, H. Sun, and H. J. Chao, "ALPi: A DDoS Defense System for High-Speed Networks," IEEE J. SAC, 24(10):1864-1876, 2006.
17. Y. Gu, A. McCullum, and D. Towsley, "Detecting anomalies in network traffic using maximum entropy estimation," ACM IMC, 2005.
18. S. E. Schechter, J. Jung, and A. W. Berger, "Fast detection of scanning worm infections," RAID, 2004.
19. M. V. Mahoney and P. K. Chan, "PHAD: Packet Header Anomaly Detection for Indentifying Hostile Network Traffic," Technical Report, Florida Tech., CS-2001-4.
20. M. V. Mahoney, "Network traffic anomaly detection based on packet bytes," ACM Symposium on Applied Computing, 2003.
21. C. Estan and G. Varghese, "New Directions in Traffic Measurement and Accounting," ACM SIGCOMM, 2002.
22. N. Duffield, C. Lund, and M. Thorup, "Properties and Prediction of Flow Statistics from Sampled Packet Streams," ACM IMW, 2002.
23. P. Barford, J. Kline, D. Plonka, and A. Ron, "A Signal Analysis of Network Traffic Anomalies," ACM IMW, 2002.
24. J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," IEEE Symp S&P, 2004.
25. A. Sridharan, T. Ye, and S. Bhattacharyya, "Connection Port Scan Detection on the Backbone," IPCC Malware Workshop, 2006.
26. R. Pokrywka, "Reducing False Alarm Rate in Anomaly Detection with Layered Filtering," ICCS, 2008.
27. R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, W. Lee, "McPAD: A multiple classifler system for accurate payload-based anomaly detection", Computer Networks, 2009.
28. L. Huang, X. Nguyen, M. Garofalakis, J. M. Hellerstein, M. I. Jordan, A. D. Joseph, N. Taft, "Communication-Efficient Online Detection of Network-Wide Anomalies," IEEE Infocom, 2007.
29. A. Kumar and J. Xu, "Sketch Guided Sampling-Using On-Line Estimates of Flow Size for Adaptive Data Collection," IEEE INFOCOM, 2006.
30. L. Yuan, C. Chuah, and P. Mohapatra, "ProgME: Towards Programmable Network MEasurement," ACM SIGCOMM, 2007.
31. V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. R. Kompella, and D. G. Andersen, "CSAMP: A System for Network-Wide Flow Monitoring," USENIX, 2008.
32. A. Ramachandran, S. Seetharaman, and N. Feamster, "Fast monitoring of traffic subpopulations," ACM IMC, 2008.
33. DARPA Intrusion Detection Data Sets, http://www.ll.mit.edu/mission/ communications/ist/corpora/ideval/data/index.html.
34. LBNL/ICSI Dataset, http://www.icir.org/enterprise-tracing/download.html.
35. Endpoint Dataset, http://www.wisnet.seecs.edu.pk/projects/ENS/DataSets. html.
36. A. B. Ashfaq, M. J. Robert, A. Mumtaz, M. Q. Ali, A. Sajjad, and S. A. Khayam, "A Comparative Evaluation of Anomaly Detectors under Portscan Attacks," RAID, 2008.