Distributed, multi-level network anomaly detection for datacentre networks

Over the past decade, numerous systems have been proposed to detect and subsequently prevent or mitigate security vulnerabilities. However, many existing intrusion or anomaly detection solutions are limited to a subset of the traffic due to scalability issues, hence failing to operate at line-rate on large, high-speed datacentre networks. In this paper, we present a two-level solution for anomaly detection leveraging independent execution and message passing semantics. We employ these constructs within a network-wide distributed anomaly detection framework that allows for greater detection accuracy and bandwidth cost saving through attack path reconstruction. Experimental results using real operational traffic traces and known network attacks generated through the Pytbull IDS evaluation framework, show that our approach is capable of detecting anomalies in a timely manner while allowing reconstruction of the attack path, hence further enabling the composition of advanced mitigation strategies. The resulting system shows high detection accuracy when compared to similar techniques, at least 20% better at detecting anomalies, and enables full path reconstruction even at small-to-moderate attack traffic intensities (as a fraction of the total traffic), saving up to 75% of bandwidth due to early attack detection.

[1]  Basil S. Maglaris,et al.  A scalable anomaly detection and mitigation architecture for legacy networks via an OpenFlow middlebox , 2016, Secur. Commun. Networks.

[2]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[3]  Andreas Mauthe,et al.  Traffic anomaly diagnosis in Internet backbone networks: A survey , 2014, Comput. Networks.

[4]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[5]  Kavé Salamatian,et al.  Anomaly extraction in backbone networks using association rules , 2012, TNET.

[6]  Ming-Yang Kao,et al.  Reverse Hashing for High-Speed Network Monitoring: Algorithms, Evaluation, and Applications , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[7]  Zhiling Lan,et al.  A Scalable, Non-Parametric Method for Detecting Performance Anomaly in Large Scale Computing , 2016, IEEE Transactions on Parallel and Distributed Systems.

[8]  Symeon Papavassiliou,et al.  Network anomaly detection and classification via opportunistic sampling , 2009, IEEE Network.

[9]  Min Sik Kim,et al.  A Scalable DDoS Detection Framework with Victim Pinpoint Capability , 2011, J. Commun..

[10]  Anna C. Gilbert,et al.  QuickSAND: Quick Summary and Analysis of Network Data , 2001 .

[11]  Michael J. Fischer,et al.  The Consensus Problem in Unreliable Distributed Systems (A Brief Survey) , 1983, FCT.