Unsupervised Ensemble Anomaly Detection Using Time-Periodic Packet Sampling

We propose an anomaly detection method for finding patterns in network traffic that do not conform to legitimate (i.e., normal) behavior. The proposed method trains a baseline model describing the normal behavior of network traffic without using manually labeled traffic data. The trained baseline model is used as the basis for comparison with the audit network traffic. This anomaly detection works in an unsupervised manner through the use of time-periodic packet sampling, which is used in a manner that differs from its intended purpose — the lossy nature of packet sampling is used to extract normal packets from the unlabeled original traffic data. Evaluation using actual traffic traces showed that the proposed method has false positive and false negative rates in the detection of anomalies regarding TCP SYN packets comparable to those of a conventional method that uses manually labeled traffic data to train the baseline model. Performance variation due to the probabilistic nature of sampled traffic data is mitigated by using ensemble anomaly detection that collectively exploits multiple baseline models in parallel. Alarm sensitivity is adjusted for the intended use by using maximumand minimum-based anomaly detection that effectively take advantage of the performance variations among the multiple baseline models. Testing using actual traffic traces showed that the proposed anomaly detection method performs as well as one using manually labeled traffic data and better than one using randomly sampled (unlabeled) traffic data. key words: anomaly detection, packet sampling

[1]  Shigeo Shioda,et al.  Fixed-Period Packet Sampling and its Application to Flow Rate Estimation , 2007, 2007 IEEE International Conference on Communications.

[2]  Tilman Wolf,et al.  Accurate anomaly detection through parallelism , 2009, IEEE Network.

[3]  Nick Duffield,et al.  Sampling for Passive Internet Measurement: A Review , 2004 .

[4]  George C. Polyzos,et al.  Application of sampling methodologies to network traffic characterization , 1993, SIGCOMM '93.

[5]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[6]  Yu Gu,et al.  Unsupervised Ensemble Anomaly Detection through Time-Periodical Packet Sampling , 2010, 2010 INFOCOM IEEE Conference on Computer Communications Workshops.

[7]  Shigeki Goto,et al.  Identifying Heavy-Hitter Flows from Sampled Flow Statistics , 2007, IEICE Trans. Commun..

[8]  Symeon Papavassiliou,et al.  Network anomaly detection and classification via opportunistic sampling , 2009, IEEE Network.

[9]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[10]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2005, TNET.

[11]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[12]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[13]  Juan E. Tapiador,et al.  Anomaly detection methods in wired networks: a survey and taxonomy , 2004, Comput. Commun..

[14]  Alefiya Hussain,et al.  Effect of Malicious Traffic on the Network , 2003 .

[15]  Jung-Min Park,et al.  An overview of anomaly detection techniques: Existing solutions and latest technological trends , 2007, Comput. Networks.

[16]  Hui Zang,et al.  Impact of Packet Sampling on Portscan Detection , 2006, IEEE Journal on Selected Areas in Communications.

[17]  Albert G. Greenberg,et al.  A Framework for Packet Selection and Reporting , 2009, RFC.

[18]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[19]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, GLOBECOM.