Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques

Androulidakis, Georgios; Chatzigiannakis, Vassilis; Papavassiliou, Symeon; Grammatikou, Mary; Maglaris, Vasilis

doi:10.1109/milcom.2006.302407

Cited by 12 publications

(12 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although some studies reported lower impacts when using flow sampling (e.g., [52,53]), Sampled NetFlow only supports packet sampling (systematic and random) [48]. Androulidakis et al [55] show that systematic sampling is especially problematic when the detection algorithms depend on the observation of a particular packet (e.g., SYN flag). Brauckhoff et al [56] also find that some anomaly detection metrics are more resilient to sampling than others, especially those based on entropy summarizations, and that detection algorithms based on packet and byte counts are less affected than those based on flow counts.…”

Section: Related Workmentioning

confidence: 99%

Analysis of the impact of sampling on NetFlow traffic classification

et al. 2011

View full text Add to dashboard Cite

The traffic classification problem has recently attracted the interest of both network operators and researchers. Several machine learning (ML) methods have been proposed in the literature as a promising solution to this problem. Surprisingly, very few works have studied the traffic classification problem with Sampled NetFlow data. However, Sampled NetFlow is a widely extended monitoring solution among network operators. In this paper we aim to fulfill this gap. First, we analyze the performance of current ML methods with NetFlow by adapting a popular ML-based technique. The results show that, although the adapted method is able to obtain similar accuracy than previous packet-based methods (≈90%), its accuracy degrades drastically in the presence of sampling. In order to reduce this impact, we propose a solution to network operators that is able to operate with Sampled NetFlow data and achieve good accuracy in the presence of sampling.

show abstract

Section: Related Workmentioning

confidence: 99%

Analysis of the impact of sampling on NetFlow traffic classification

et al. 2011

View full text Add to dashboard Cite

show abstract

“…In Reference [27] the impact of three packet sampling techniques (systematic, random n ‐out‐of‐ N , and uniform probabilistic random sampling) that have been proposed in the PSAMP IETF draft [28] on three widely used anomaly detection algorithms was studied and evaluated. The results revealed that systematic sampling does not perform well under low sampling rates when the detection of the attack depends on certain packet characteristics (e.g., TCP flags).…”

Section: Related Work and Discussionmentioning

confidence: 99%

Two‐stage selective sampling for anomaly detection: analysis and evaluation

Androulidakis¹,

Papavassiliou²

2011

Security Comm Networks

Self Cite

View full text Add to dashboard Cite

Sampling has become an essential component of scalable Internet traffic monitoring and anomaly detection. This paper emphasizes on the analysis and evaluation of the impact of two-stage sampling (TSS) techniques on network anomaly detection. Through the positive exploitation of the fact that sampled traffic is an incomplete and simultaneously biased approximation of the underlying traffic trace, we propose and analyze an enhanced two-stage selective sampling approach, where an intelligent flow-based sampling method that focuses on the selection of small flows that are usually the source of malicious traffic, is adopted. The performance evaluation of the impact of TSS on the anomaly detection process is achieved through the use and application of an entropy-based anomaly detection method on a packet trace with data that has been collected from a real operational university campus network. The corresponding results demonstrate that the proposed approach improves and favors anomaly detection effectiveness, while at the same time reduces the number of sampled data, and in most cases achieves to even outperform the corresponding results of the unsampled case.

show abstract

“…Results showed that all sampling algorithms adversely affect both volumetric and portscan anomaly detectors. Similarly, it was shown in [13] that the accuracy of an ADS is dependent on the rate of sampling when flow-based metrics are used. Brauckhoff et al [14] analyzed the volume and feature entropy metrics and showed that packet sampling does not have much impact on volumetric packet counts but can introduce significant bias in flow counts.…”

Section: Related Work and Design Con-straintsmentioning

confidence: 92%

On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

Ali

Haq

Rizvi

et al. 2010

SIGCOMM Comput. Commun. Rev.

View full text Add to dashboard Cite

Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates. To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university's network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples.

show abstract

Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques

Cited by 12 publications

References 9 publications

Analysis of the impact of sampling on NetFlow traffic classification

Analysis of the impact of sampling on NetFlow traffic classification

Two‐stage selective sampling for anomaly detection: analysis and evaluation

On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

Contact Info

Product

Resources

About