Flow-level Anomaly Detection : Blessing or Curse ?

Is flow-level anomaly detection a blessing due to excellent detection rates or is it a curse due to high false positive rates? To this end, we cannot answer this question for mainly two reasons: First, we still do not understand the flow-level characteristics and frequency of benign and malicious anomalies in full detail. And second, we have no means for assessing the power, in terms of false positives and negatives, of flow-level anomaly detection. With our work, we aim at coming a bit closer to an answer. We base our work on a comprehensive threeyear data set of unsampled NetFlow records from a mediumsized Swiss backbone network. From this data set, we extract flow-levelcharacteristics of prevalent types of anomalies. Having this anomaly database, we develop a methodology for injecting realistic and versatile anomalies in given background traffic. The result of our work is a tool for challenging and training flow-level anomaly detection systems.

[1]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[2]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[3]  Philip K. Chan,et al.  An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection , 2003, RAID.

[4]  Vinod Yegneswaran,et al.  A framework for malicious workload generation , 2004, IMC '04.

[5]  R.K. Cunningham,et al.  Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[6]  Bernhard Plattner,et al.  Host behaviour based early detection of worm outbreaks in Internet backbones , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[7]  Anja Feldmann,et al.  Packet trace manipulation rramework for test labs , 2004, IMC '04.

[8]  Zhi-Li Zhang,et al.  Profiling internet backbone traffic: behavior models and applications , 2005, SIGCOMM '05.

[9]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.