Download A Signal Analysis of Network Traffic Anomalies

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Network tap wikipedia , lookup

Airborne Networking wikipedia , lookup

IEEE 1355 wikipedia , lookup

UniPro protocol stack wikipedia , lookup

Transcript 
A Signal Analysis of
Network Traffic Anomalies
Paul Barford, Jeffrey Kline, David
Plonka, and Amos Ron
Network Traffic Anomalies
 Failures
and attacks
 Detection part of everyday work for
administrators
 Data derived mainly from two sources

SNMP
• Queries to nodes; mostly counts of activity

IP flows
• More specific than SNMP
Related Work
 Statistical
detection of anomalies
 Past work on malicious (DoS, port scan)
behavior detection
 Flash crowd studies
Data

Analysis based on SNMP and IP data
 Taken from a border router at University of
Wisconsin-Madison
 Flows sampled 1 in 96 packets
 Journal of known anomalies and events was
kept




Network
Attack
Flash
Measurement
Current Practices
 Network
operators use ad hoc methods
 Rely on operator’s personal experience
 Handling SNMP data


Graph network data
Alarms for certain events
 Flow

data handling less mature
Popular tool converts into time-series data
Method
 Wavelet
analysis
 Divides the data into strata
 Low-frequency strata: slow-varying trends
 High-frequency strata: spontaneous
variations
Wavelet Processing
 Analysis/Decomposition


Break down the signal into the strata
Run different filters for the different
frequencies
 Synthesis

Inverse of decomposition
 Wavelet

algorithms
Recombine strata, but filtering out unwanted
data
Cont.
 The
technique used by the authors
synthesizes 3 separate parts of the signal
 Total amount within the parts will be longer
than the actual signal
 L – Captures long term patterns; ideal for
weekly trends
 M – Captures midrange patterns; ideal for
daily trends
 H – High frequency data capture
Anomaly Detection
 Normalize

H- and M- to a variance of 1
Compute local variability of data within a
moving window (3 hours)
 Combine
variability of H- and M Apply thresholding
IMAPIT
 Development
environment for anomaly
detection
 Used the H-, M-, and weights for both to
determine deviation scores
 Anomalies tend to have deviation over 2.0
Characteristics of Ambient Traffic

Need data free of anomalies as a calibration
Flash Crowds

Test data: New Linux release on ftp mirror
Short-lived Anomalies
Discriminator for Short-term
Anomalies
Two DoS Events
Analysis of Network Outage
Deviation Score Evaluation
 Used
logged anomalies as baseline for
evaluation

Of 39 logged anomalies, detected 38
Comparison to Holt-Winters

Holt-Winters is an exponential smoothing algorithm




Uses baseline (intercept), linear trend (slope), and seasonal
trend
Aberrations are detected by detecting a certain amount of data
outside the threshold range within a window
Different from wavelet in that the different strata are
processed separately whereas Holt-Winters is one
prediction function
Compared to an alternative using Holt-Winters algorithm



Holt-Winters detected 37 anomalies
Both missed anomalies would have been detected with a larger
window
Holt-Winters more sensitive
Conclusion
 Performs
comparably to Holt-Winters
 Deviation score detection can be effective
 Learning methods potentially used in the
future
 Study ways of classification
Related documents
Document
Document
+ 4°C 5 times 27% to39% - AXA Corporate Solutions
+ 4°C 5 times 27% to39% - AXA Corporate Solutions
One Decoding Step - University of Wisconsin
One Decoding Step - University of Wisconsin
TARGETTED ANOMALY SCAN
TARGETTED ANOMALY SCAN
Introduction to Database Design
Introduction to Database Design
BASICS OF CONGENITAL ANOMALIES
BASICS OF CONGENITAL ANOMALIES
Network-Wide Traffic Analysis
Network-Wide Traffic Analysis
Belanger OLLI week1 final - Denver Climate Study Group
Belanger OLLI week1 final - Denver Climate Study Group
Esophagus Stomach Duodenum Small intestine Large bowel
Esophagus Stomach Duodenum Small intestine Large bowel
Lab- Magnetics and Seafloor Spreading
Lab- Magnetics and Seafloor Spreading
Summary of the 2014/2015 Asian Winter Monsoon
Summary of the 2014/2015 Asian Winter Monsoon
Anomaly Detection
Anomaly Detection