An anomaly detection procedure is defined and its statistical performance are carefully quantified. It is based on a non Gaussian modeling of the marginal distributions of random projections (sketches) of traffic aggregated jointly at different levels (multiresolution). To evaluate false negative vs. false positive in a controlled, reproducible and documented framework, we apply the detection procedure to traffic time-series from our self-made anomaly database. It is obtained by performing DDoS-type attacks, using realworld attack tools, over a real operational network. Also, we illustrate that combining sketches enables us to identify the target IP destination address and faulty packets hence opening the track to attack mitigation. 1 Motivations and Contributions Motivations. Internet is becoming the major and universal communication network. It allows an increasing number of different activities of continuously evolving natures, ranging from on-line games, video-on-demand or IP voice telephony to web browsing or file exchanges. This implies accommodating the circulation of data with very different natures(texts, images, sounds,...),with widevariationsin their characteristics (file sizes,...) and with demanding and potentially antagonist constraints and requirements(real-time, acceptable delays or loss-rates, security levels, confidentiality levels, tarifications...). These many causes of diversity in nature result in Internet Traffic flows that naturally exhibit huge fluctuations around putative average behaviors. On top of this inherent large variability are potentially superimposed non stationarities such as seasonal effects (day, nights, weekends,...) or such as harder to describe and burstier in nature events (flash crowds,...). Accompanying
[1]
Balachander Krishnamurthy,et al.
Sketch-based change detection: methods, evaluation, and applications
,
2003,
IMC '03.
[2]
S. Muthukrishnan,et al.
Data streams: algorithms and applications
,
2005,
SODA '03.
[3]
M. Basseville.
Distance measures for signal processing and pattern recognition
,
1989
.
[4]
Yossi Matias,et al.
Polynomial Hash Functions Are Reliable (Extended Abstract)
,
1992,
ICALP.
[5]
Albert G. Greenberg,et al.
Network anomography
,
2005,
IMC '05.
[6]
Paul Barford,et al.
A signal analysis of network traffic anomalies
,
2002,
IMW '02.
[7]
Pierre Borgnat,et al.
Détection d'attaques de Dénis de Service par un modèle non gaussien multirésolution
,
2006
.
[8]
Philippe Owezarski,et al.
Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies
,
2007,
IEEE Transactions on Dependable and Secure Computing.
[9]
Christophe Diot,et al.
Diagnosing network-wide traffic anomalies
,
2004,
SIGCOMM.
[10]
Gyungho Lee,et al.
DDoS Attack Detection and Wavelets
,
2003,
Proceedings. 12th International Conference on Computer Communications and Networks (IEEE Cat. No.03EX712).
[11]
Mikkel Thorup,et al.
Tabulation based 4-universal hashing with applications to second moment estimation
,
2004,
SODA '04.
[12]
Ramesh Govindan,et al.
Detection and identification of network anomalies using sketch subspaces
,
2006,
IMC '06.