论文信息 - Progressive Differential Thresholding for Network Anomaly Detection

Progressive Differential Thresholding for Network Anomaly Detection

In this paper, we propose a Progressive Differential Thresholding (PDT) framework for coordinated network anomaly detection. Under the proposed framework, nodes present on a packet's path progressively encode their opinion (malicious or benign) inside a packet. Subsequent nodes on the path use the encoded opinion as side-information to adapt their anomaly detection thresholds and in turn improve their classification accuracies. Accuracy benefits of PDT are evaluated through experimental evaluations of multiple non-proprietary anomaly detectors on a publicly-available attack dataset. These evaluations indicate that, while being distributed and having negligible complexity and communication overheads, the proposed PDT framework provides considerable and consistent improvements in anomaly detection accuracy. We observe upto 54% improvements in ADS detection accuracy while upto 4 times reduction in the false alarm rates.

Syed Ali Khayam | Hassan Khan | Sardar Ali | Muhammad Ahmad

[1] H. Jonathan Chao,et al. ALPi: A DDoS Defense System for High-Speed Networks , 2006, IEEE Journal on Selected Areas in Communications.

[2] Mooi Choo Chuah,et al. Packetscore: statistics-based overload control against distributed denial-of-service attacks , 2004, IEEE INFOCOM 2004.

[3] Donald F. Towsley,et al. Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[4] John Mark Agosta,et al. An adaptive anomaly detector for worm detection , 2007 .

[5] Stuart E. Schechter,et al. Fast Detection of Scanning Worm Infections , 2004, RAID.

[6] Syed Ali Khayam,et al. On achieving good operating points on an ROC plane using stochastic anomaly score prediction , 2009, CCS.

[7] Syed Ali Khayam,et al. A Comparative Evaluation of Anomaly Detectors under Portscan Attacks , 2008, RAID.

[8] Matthew V. Mahoney,et al. Network traffic anomaly detection based on packet bytes , 2003, SAC '03.

[9] Mark Crovella,et al. Distributed Spatial Anomaly Detection , 2008, IEEE INFOCOM 2008 - The 27th Conference on Computer Communications.

[10] Matthew M. Williamson,et al. Throttling viruses: restricting propagation to defeat malicious mobile code , 2002, 18th Annual Computer Security Applications Conference, 2002. Proceedings..

[11] Fauzan Mirza,et al. On mitigating sampling-induced accuracy loss in traffic anomaly detection systems , 2010, CCRV.

[12] Ling Huang,et al. In-Network PCA and Anomaly Detection , 2006, NIPS.