SAFEM: Scalable analysis of flows with entropic measures and SVM

This paper describes a new approach for the detection of large-scale anomalies or malicious events in Netflow records. This approach allows Internet operators, to whom botnets and spam are major threats, to detect large-scale distributed attacks. The prototype SAFEM (Scalable Analysis of Flows with Entropic Measures) uses spatial-temporal Netflow record aggregation and applies entropic measures to traffic. The aggregation scheme highly reduces data storage leading to the viability of using such an approach in an Internet Service Provider network.

[1]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[3]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[4]  F. Beck,et al.  Monitoring the Neighbor Discovery Protocol , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[5]  Aiko Pras,et al.  An Overview of IP Flow-Based Intrusion Detection , 2010, IEEE Communications Surveys & Tutorials.

[6]  Nasir D. Memon,et al.  NetStore: An Efficient Storage Infrastructure for Network Forensics and Monitoring , 2010, RAID.

[7]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM.

[8]  Radu State,et al.  DANAK: Finding the odd! , 2011, 2011 5th International Conference on Network and System Security.

[9]  Jun Murai,et al.  Characteristics of Denial of Service Attacks on Internet Using AGURI , 2003, ICOIN.

[10]  Jack Koziol Intrusion Detection with Snort , 2003 .

[11]  Radu State,et al.  Machine Learning Approach for IP-Flow Record Anomaly Detection , 2011, Networking.

[12]  Martin May,et al.  FLAME: A Flow-Level Anomaly Modeling Engine , 2008, CSET.

[13]  Abhishek Kumar,et al.  Detection of Super Sources and Destinations in High-Speed Networks: Algorithms, Analysis and Evaluation , 2006, IEEE Journal on Selected Areas in Communications.

[14]  Pere Barlet-Ros,et al.  Portscan Detection with Sampled NetFlow , 2009, TMA.

[15]  Feng Qian,et al.  Botnet spam campaigns can be long lasting: evidence, implications, and analysis , 2009, SIGMETRICS '09.

[16]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[17]  Dong Xiang,et al.  Information-theoretic measures for anomaly detection , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[18]  Guofei Gu,et al.  BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection , 2008, USENIX Security Symposium.

[19]  Yakov Rekhter,et al.  An Architecture for IP Address Allocation with CIDR , 1993, RFC.

[20]  Benoit Claise,et al.  Cisco Systems NetFlow Services Export Version 9 , 2004, RFC.

[21]  Radu State,et al.  Digging into IP Flow Records with a Visual Kernel Method , 2011, CISIS.

[22]  T. Holz,et al.  Towards Next-Generation Botnets , 2008, 2008 European Conference on Computer Network Defense.