Towards Efficient Flow Sampling Technique for Anomaly Detection

With increasing amount of network traffic, sampling techniques have become widely employed allowing monitoring and analysis of high-speed network links. Despite of all benefits, sampling methods negatively influence the accuracy of anomaly detection techniques and other subsequent processing. In this paper, we present an adaptive, feature-aware sampling technique that reduces the loss of information bounded with the sampling process, thus minimizing the decrease of anomaly detection efficiency. To verify the optimality of our proposed technique, we build a model of the ideal sampling algorithm and define general metrics allowing us to compute the distortion of traffic feature distribution for various types of sampling algorithms. We compare our technique with random flow sampling and reveal their impact on several anomaly detection methods by using real network traffic data. The presented ideas can be applied on high-speed network links to refine the input data by suppressing highly-redundant information.

[1]  Fauzan Mirza,et al.  On mitigating sampling-induced accuracy loss in traffic anomaly detection systems , 2010, CCRV.

[2]  Nicolas Hohn,et al.  Inverting sampled traffic , 2003, IMC '03.

[3]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM 2004.

[4]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[5]  Zhi-Li Zhang,et al.  Adaptive random sampling for traffic volume measurement , 2003, Telecommun. Syst..

[6]  Carsten Lund,et al.  Properties and prediction of flow statistics from sampled packet streams , 2002, IMW '02.

[7]  Lili Yang,et al.  Sampled Based Estimation of Network Traffic Flow Characteristics , 2007, IEEE INFOCOM 2007 - 26th IEEE International Conference on Computer Communications.

[8]  Tao Ye,et al.  Connectionless port scan detection on the backbone , 2006, 2006 IEEE International Performance Computing and Communications Conference.

[9]  Symeon Papavassiliou,et al.  Network anomaly detection and classification via opportunistic sampling , 2009, IEEE Network.

[10]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2003, SIGCOMM '03.

[11]  Zhi-Li Zhang,et al.  Reducing Unwanted Traffic in a Backbone Network , 2005, SRUTI.

[12]  Michal Pechoucek,et al.  Adaptive Multiagent System for Network Traffic Monitoring , 2009, IEEE Intelligent Systems.

[13]  Cristian Estan,et al.  New directions in traffic measurement and accounting , 2001, IMW '01.

[14]  S. Papavassiliou,et al.  Improving network anomaly detection via selective flow-based sampling , 2008, IET Commun..

[15]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[16]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[17]  Nick Duffield,et al.  Sampling for Passive Internet Measurement: A Review , 2004 .