Practical anomaly detection based on classifying frequent traffic patterns

Detecting network traffic anomalies is crucial for network operators as it helps to identify security incidents and to monitor the availability of networked services. Although anomaly detection has received significant attention in the literature, the automatic classification of network anomalies still remains an open problem. In this paper, we introduce a novel scheme and build a system to detect and classify anomalies that is based on an elegant combination of frequent item-set mining with decision tree learning. Our approach has two key features: 1) effectiveness, it has a very low false-positive rate; and 2) simplicity, an operator can easily comprehend how our detector and classifier operates. We evaluate our scheme using traffic traces from two real networks, namely from the European-wide backbone network of GEÁNT and from a regional peering link in Spain. In both cases, we achieve an overall classification accuracy greater than 98% and a false-positive rate of approximately only 1%. In addition, we show that it is possible to train our classifier with data from one network and use it to effectively classify anomalies in a different network. Finally, we have built a corresponding anomaly detection and classification system and have deployed it as part of an operational platform, where it is successfully used to monitor two 10Gb/s peering links between the Catalan and the Spanish national research and education networks (NREN).

[1]  Aiko M. Hormann,et al.  Programs for Machine Learning. Part I , 1962, Inf. Control..

[2]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[3]  Heejo Lee,et al.  Fast detection and visualization of network attacks on parallel coordinates , 2009, Comput. Secur..

[4]  Didier Sornette,et al.  Accurate network anomaly classification with generalized entropy metrics , 2011, Comput. Networks.

[5]  Kim-Kwang Raymond Choo,et al.  The cyber threat landscape: Challenges and future research directions , 2011, Comput. Secur..

[6]  Bart Goethals,et al.  FIMI '03, Frequent Itemset Mining Implementations, Proceedings of the ICDM 2003 Workshop on Frequent Itemset Mining Implementations, 19 December 2003, Melbourne, Florida, USA , 2003, FIMI.

[7]  Kavé Salamatian,et al.  Anomaly extraction in backbone networks using association rules , 2012, TNET.

[8]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[9]  Pere Barlet-Ros,et al.  Automating root-cause analysis of network anomalies using frequent itemset mining , 2010, SIGCOMM '10.

[10]  Fernando Silveira,et al.  URCA: Pulling out Anomalies by their Root Causes , 2010, 2010 Proceedings IEEE INFOCOM.

[11]  Das Amrita,et al.  Mining Association Rules between Sets of Items in Large Databases , 2013 .

[12]  Ignasi Paredes-Oliva,et al.  ANOMALY DETECTION IN BACKBONE NETWORKS: BUILDING A SECURITY SERVICE UPON AN INNOVATIVE TOOL Author and Author Affiliation , 2010 .

[13]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[14]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[15]  Jordi Domingo-Pascual,et al.  SMARTxAC: a passive monitoring and analysis system for high‐speed networks , 2006 .

[16]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[17]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[18]  Gösta Grahne,et al.  Efficiently Using Prefix-trees in Mining Frequent Itemsets , 2003, FIMI.

[19]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[20]  Michalis Faloutsos,et al.  Internet traffic classification demystified: myths, caveats, and the best practices , 2008, CoNEXT '08.