Impact of packet sampling on anomaly detection metrics

Brauckhoff, Daniela; Tellenbach, Bernhard; Wagner, Arno; May, Martin; Lakhina, Anukool

doi:10.1145/1177080.1177101

Cited by 172 publications

(135 citation statements)

References 20 publications

Supporting

Mentioning

132

Contrasting

Order By: Relevance

“…Androulidakis et al [55] show that systematic sampling is especially problematic when the detection algorithms depend on the observation of a particular packet (e.g., SYN flag). Brauckhoff et al [56] also find that some anomaly detection metrics are more resilient to sampling than others, especially those based on entropy summarizations, and that detection algorithms based on packet and byte counts are less affected than those based on flow counts.…”

Section: Related Workmentioning

confidence: 99%

Analysis of the impact of sampling on NetFlow traffic classification

et al. 2011

View full text Add to dashboard Cite

The traffic classification problem has recently attracted the interest of both network operators and researchers. Several machine learning (ML) methods have been proposed in the literature as a promising solution to this problem. Surprisingly, very few works have studied the traffic classification problem with Sampled NetFlow data. However, Sampled NetFlow is a widely extended monitoring solution among network operators. In this paper we aim to fulfill this gap. First, we analyze the performance of current ML methods with NetFlow by adapting a popular ML-based technique. The results show that, although the adapted method is able to obtain similar accuracy than previous packet-based methods (≈90%), its accuracy degrades drastically in the presence of sampling. In order to reduce this impact, we propose a solution to network operators that is able to operate with Sampled NetFlow data and achieve good accuracy in the presence of sampling.

show abstract

Section: Related Workmentioning

confidence: 99%

Analysis of the impact of sampling on NetFlow traffic classification

et al. 2011

View full text Add to dashboard Cite

show abstract

“…Several state-of-the-art tools require access to packet payloads, which renders these solutions impractical for this environment. Recent studies [5][6][7] have shown that the accuracy of certain anomaly detection techniques is dramatically affected under sampling.…”

Section: Sampled Netflow Supportmentioning

confidence: 99%

Operational experiences with anomaly detection in backbone networks

Molina

Paredes-Oliva²,

Routly

et al. 2012

Computers & Security

View full text Add to dashboard Cite

Although network security is a crucial aspect for network operators, there are still very few works that have examined the anomalies present in large backbone networks and evaluated the performance of existing anomaly detection solutions in operational environments. The objective of this work is to fill this gap by reporting hands-on experience in the evaluation and deployment of an anomaly detection solution for the GÉANT backbone network. During this process, we analyzed three different commercial tools for anomaly detection and then deployed one of them for several months in the 18 points-of-presence of GÉANT. We first explain the general requirements that an anomaly detection system should satisfy from the point of view of a network operator. Afterwards, we describe the evaluation of the tools and present a study of the anomalies found in a continental backbone network after operationally using the finally deployed tool for half a year. We think that this first hand information can be of great interest to both professionals and researchers working on network security and can also guide future research towards more practical problems faced by network operators.

show abstract

“…This confirms our hypothesis that conditional entropy, capturing dependence between feature pairs, could be a more useful statistic in detecting anomalies. Empirical entropy applied to monitoring of network traffic has been shown to be very useful in detecting changes in its character, as first suggested in [18] and then developed in [17] and other works (e.g., [4], [10], [16], [19], [21], [22]). While possessing the significant advantage of needing few modeling assumptions about what constitutes normal and abnormal traffic, entropy-based methods incur substantial computational cost, which presented an obstacle to their practical adoption.…”

Section: B Detecting Attacks With Conditional Entropymentioning

confidence: 99%

“…The information-theoretic statistic of empirical entropy (or simply entropy) has received a lot of attention in this respect [4], [10], [16], [17], [18], [19], [21], [22]. Computing entropy in the straightforward manner, by maintaining counters to keep track of the distribution histogram, is expensive memory-wise and computationally.…”

Section: Introductionmentioning

confidence: 99%

Distributed monitoring of conditional entropy for anomaly detection in streams

Arackaparambil

Bratus

Brody

et al. 2010

2010 IEEE International Symposium on Parallel &Amp; Distributed Processing, Workshops and PHD Forum (IPDPSW)

View full text Add to dashboard Cite

Abstract-In this work we consider the problem of monitoring information streams for anomalies in a scalable and efficient manner. We study the problem in the context of network streams where the problem has received significant attention.Monitoring the empirical Shannon entropy of a feature in a network packet stream has previously been shown to be useful in detecting anomalies in the network traffic. Entropy is an information-theoretic statistic that measures the variability of the feature under consideration. Anomalous activity in network traffic can be captured by detecting changes in this variability.There are several challenges, however, in monitoring this statistic. Computing the statistic efficiently is non-trivial. Further, when monitoring multiple features, the streaming algorithms proposed previously would likely fail to keep up with the everincreasing channel bandwidth of network traffic streams. There is also the concern that an adversary could attempt to mask the effect of his attacks on variability by a mimicry attack disguising his traffic to mimic the distribution of normal traffic in the network, thus avoiding detection by an entropy monitoring sensor. Also, the high rate of false positives is a big problem with Intrusion Detection Systems, and the case of entropy monitoring is no different.In this work we propose a way to address the above challenges. First, we leverage recent progress in sketching algorithms to develop a distributed approach for computing entropic statistics accurately, at reasonable memory costs. Secondly, we propose monitoring not only regular entropy, but the related statistic of conditional entropy, as a more reliable measure in detecting anomalies. We implement our approach and evaluate it with real data collected at the link layer of an 802.11 wireless network.

show abstract

Impact of packet sampling on anomaly detection metrics

Cited by 172 publications

References 20 publications

Analysis of the impact of sampling on NetFlow traffic classification

Analysis of the impact of sampling on NetFlow traffic classification

Operational experiences with anomaly detection in backbone networks

Distributed monitoring of conditional entropy for anomaly detection in streams

Contact Info

Product

Resources

About