SUMMARYIn this paper, we present the design and implementation of a new approach for anomaly detection and classification over high speed networks. The proposed approach is based first of all on a data reduction phase through flow sampling by focusing mainly on short lived flows. The second step is then a random aggregation of some descriptors such as a number of SYN packets per flow in two different data structures called Count Min Sketch and Multi-Layer Reversible Sketch. A sequential change point detection algorithm continuously monitors the sketch cell values. An alarm is raised if a significant change is identified in cell values. With an appropriate definition of the combination of IP header fields that should be used to identify one flow, we are able not only to detect the anomaly but also to classify the anomaly as DoS, DDoS or flash crowd, network scanning and port scanning. We validate our framework for anomaly detection on various real world traffic traces and demonstrate the accuracy of our approach on these real-life case studies. Our analysis results from online implementation of our algorithm over measurements gathered by a DAG sniffing card are very attractive in terms of accuracy and response time. The proposed approach is very effective in detecting and classifying anomalies, and in providing information by extracting the culprit flows with a high level of accuracy. Copyright
International audienceNetwork and service operators nowadays use probes located in their networks in order to improve their knowledge on traffic evolution. The limited set of managed services like IPTV enable the use of well controlled rules for network dimensioning but this is not the case for public Internet originated traffic. Due to the growing success of services delivered by Internet players, a close attention given to customers' usage is mandatory to make accurate forecasts in order to avoid future network congestion. The present paper proposes a detailed analysis based on real Internet traffic captured on fixed (xDSL, FTTH) and mobile networks of Orange France and Telefónica operators. Internet traffic profile (traffic evolution over the time) for fixed and mobile networks is described. The paper discusses the relation between access technologies and traffic profiles. Additionally, it clarifies how both fixed and mobile residential customers access Internet services. This provides insight on the applications generating the major part of the traffic (i.e. video streaming, peer-to-peer, file downloading, etc.) and on the proportion of traffic generated by the "heavy users"
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.