Mining anomalies using traffic feature distributions

Lakhina, Anukool; CrovellaMark,; DiotChristophe,

doi:10.1145/1090191.1080118

Cited by 501 publications

(407 citation statements)

References 23 publications

Supporting

Mentioning

371

Contrasting

Unclassified

Order By: Relevance

“…Network-Wide class: Represent modules detecting network-wide threats such as probes and worms which cause distribution changes in traffic features that can be observed at high aggregation levels [10]. Therefore, this class monitors aggregate packets/flows and consequently they can be allocated to centralised/core locations where aggregate traffic to multiple destinations can be processed.…”

Section: B Placement Of Security Modules Problemmentioning

confidence: 99%

Resource-aware placement of softwarised security services in cloud data centers

Ali

Anagnostopoulos

Pezaros

2017

2017 13th International Conference on Network and Service Management (CNSM)

View full text Add to dashboard Cite

Abstract-Virtualizing middleboxes as software for Cloud tenants can eliminate the monolithic processing and static deployment of legacy middleboxes and provide an efficient provisioning for security services. However, inefficient managing of the virtualized security services can reduce the gains of Cloud deployment. We propose a resources-efficient placement of the security functions in the infrastructure of a three-tier Cloud DC by modifying the Best-Fit Decreasing algorithm to solve the problem while satisfying the placement resources and traffic constraints.

show abstract

Section: B Placement Of Security Modules Problemmentioning

confidence: 99%

Resource-aware placement of softwarised security services in cloud data centers

Ali

Anagnostopoulos

Pezaros

2017

2017 13th International Conference on Network and Service Management (CNSM)

View full text Add to dashboard Cite

show abstract

“…There is considerable interest in using entropy-based analysis of traffic feature distributions for anomaly detection [49,50]. Entropy-based metrics are tempting since they provide more fine-grained insights into traffic structure than traditional traffic volume analysis.While previous work has illuminated the benefits of using the entropy of different traffic distributions in isolation to detect anomalies, there has been little effort in comprehensively understanding the detection power provided by entropy-based analysis of multiple traffic distribution used in connection with each other.…”

Section: Related Workmentioning

confidence: 99%

Large-scale IP network behavior anomaly detection and identification using substructure-based approach and multivariate time series mining

Zhou

2010

Telecommun Syst

View full text Add to dashboard Cite

In this paper, a substructure-based network behavior anomaly detection approach, called WFS (Weighted Frequent Subgraphs), is proposed to detect the anomalies of a large-scale IP networks. With application of WFS, an entire graph is examined, unusual substructures of which are reported. Due to additional information given by the graph, the anomalies are able to be detected more accurately. With multivariate time series motif association rules mining (MTSMARM), the patterns of abnormal traffic behavior are able to be obtained. In order to verify the above proposals, experiments are conducted and, together with application of backbone networks (Internet2) Netflow data, show some positive results.

show abstract

“…Lakhina et al argue that the distributions of packet features (IP addresses and ports) observed in flow traces reveal both the presence and structure of a wide range of anomalies. Using entropy as a summarization tool to analyze traffic from two backbone networks, they found that it enables highly sensitive detection of a wide range of anomalies, augmenting detections by volume-based methods [8]. Brauckhoff ind that entropy-based summarizations of packet and flow counts are affected less by sampling than volume-based method in large networks [9].…”

Section: Introductionmentioning

confidence: 99%

An Entropy-based Method for Attack Detection in Large Scale Network

Liu

Wang

et al. 2014

INT J COMPUT COMMUN

View full text Add to dashboard Cite

Abstract:Intrusion Detection System (IDS) typically generates a huge number of alerts with high false rate, especially in the large scale network, which result in a huge challenge on the efficiency and accuracy of the network attack detection. In this paper, an entropy-based method is proposed to analyze the numerous IDS alerts and detect real network attacks. We use Shannon entropy to examine the distribution of the source IP address, destination IP address, source threat and destination threat and datagram length of IDS alerts; employ Renyi cross entropy to fuse the Shannon entropy vector to detect network attack. In the experiment, we deploy the Snort to monitor part of Xi'an Jiaotong University (XJTU) campus network including 32 C-class network (more than 4000 users), and gather more than 40,000 alerts per hour on average. The entropy-based method is employed to analyze those alerts and detect network attacks. The experiment result shows that our method can detect 96% attacks with very low false alert rate.

show abstract

Mining anomalies using traffic feature distributions

Cited by 501 publications

References 23 publications

Resource-aware placement of softwarised security services in cloud data centers

Resource-aware placement of softwarised security services in cloud data centers

Large-scale IP network behavior anomaly detection and identification using substructure-based approach and multivariate time series mining

An Entropy-based Method for Attack Detection in Large Scale Network

Contact Info

Product

Resources

About