Increasing reliability in network traffic anomaly detection

Network traffic anomalies stand for a large fraction of the Internet traffic and compromise the performance of the network resources. Detecting and diagnosing these threats is a laborious and time consuming task that network operators face daily. During the last decade researchers have concentrated their efforts on this problem and proposed several tools to automate this task. Thereby, recent advances in anomaly detection have permitted to detect new or unknown anomalies by taking advantage of statistical analysis of the traffic. In spite of the advantages of these detection methods, researchers have reported several common drawbacks discrediting their use in practice. Indeed, the challenge of understanding the relation between the theory underlying these methods and the actual Internet traffic raises several issues. For example, the difficulty of selecting the optimal parameter set for these methods mitigates their performance and prevent network operators from using them. Moreover, due to the lack of ground truth data, approximate evaluations of these detection methods prevent to provide accurate feedback on them and increase their reliability. We address these issues, first, by proposing a pattern-recognition-based detection method that overcomes the common drawbacks of anomaly detectors based on statistical analysis, second, by providing both a benchmark tool that compares the results from diverse detectors and ground truth data obtained by combining several anomaly detectors. The proposed pattern-recognition-based detector takes advantage of image processing techniques to provide intuitive outputs and parameter set. An adaptive mechanism automatically tuning its parameter set according to traffic fluctuations is also proposed. The resulting adaptive anomaly detector is easily usable in practice, performs a high detection rate, and provides intuitive description of the anomalies allowing to identify their root causes. A benchmark methodology is also developed in order to compare several detectors based on different theoretical background. This methodology allows researchers to accurately identify the differences between the results of diverse detectors. We employ this methodology along with an unsupervised combination strategy to combine the output of four anomaly detectors. Thereby, the combination strategy increases the overall reliability of the combined detectors and it detects two times more anomalies than the best detector. We provide the results of this combination of detectors in the form of ground truth data containing various anomalies during 10 years of traffic.

[1]  Fernando Silveira,et al.  URCA: Pulling out Anomalies by their Root Causes , 2010, 2010 Proceedings IEEE INFOCOM.

[2]  Michalis Faloutsos,et al.  A nonstationary Poisson view of Internet traffic , 2004, IEEE INFOCOM 2004.

[3]  A. D. Gordon,et al.  Correspondence Analysis Handbook. , 1993 .

[4]  Kensuke Fukuda,et al.  Evaluation of Anomaly Detection Based on Sketch and PCA , 2010, 2010 IEEE Global Telecommunications Conference GLOBECOM 2010.

[5]  Kensuke Fukuda An Analysis of Longitudinal TCP Passive Measurements (Short Paper) , 2011, TMA.

[6]  Kensuke Fukuda,et al.  Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures , 2007, LSAD '07.

[7]  Raffael Marty,et al.  Applied Security Visualization , 2008 .

[8]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[9]  Alfred Inselberg,et al.  The plane with parallel coordinates , 1985, The Visual Computer.

[10]  Philippe Owezarski,et al.  Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies , 2007, IEEE Transactions on Dependable and Secure Computing.

[11]  Kensuke Fukuda,et al.  Uncovering Relations between Traffic Classifiers and Anomaly Detectors via Graph Theory , 2010, TMA.

[12]  Akira Kato,et al.  Traffic Data Repository at the WIDE Project , 2000, USENIX Annual Technical Conference, FREENIX Track.

[13]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[14]  Kensuke Fukuda,et al.  Evaluation of Anomaly Detection Method Based on Pattern Recognition , 2010, IEICE Trans. Commun..

[15]  Kensuke Fukuda,et al.  An image processing approach to traffic anomaly detection , 2008, AINTEC '08.

[16]  Yan Gao,et al.  IDGraphs: intrusion detection and analysis using histographs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[17]  Barry Irwin,et al.  InetVis, a visual tool for network telescope traffic analysis , 2006, AFRIGRAPH '06.

[18]  Richard O. Duda,et al.  Use of the Hough transformation to detect lines and curves in pictures , 1972, CACM.

[19]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[20]  Kensuke Fukuda,et al.  Seven Years and One Day: Sketching the Evolution of Internet Traffic , 2009, IEEE INFOCOM 2009.

[21]  Yanghee Choi,et al.  Internet traffic classification demystified: on the sources of the discriminative power , 2010, CoNEXT.

[22]  Subhash C. Bagui,et al.  Combining Pattern Classifiers: Methods and Algorithms , 2005, Technometrics.

[23]  Ling Huang,et al.  ANTIDOTE: understanding and defending against poisoning of anomaly detectors , 2009, IMC '09.

[24]  Stephen Lau,et al.  The Spinning Cube of Potential Doom , 2004, CACM.

[25]  Matthew Roughan,et al.  The need for simulation in evaluating anomaly detectors , 2008, CCRV.

[26]  A. L. Narasimha Reddy,et al.  Statistical Techniques for Detecting Traffic Anomalies Through Packet Header Data , 2008, IEEE/ACM Transactions on Networking.

[27]  Wayne G. Lutters,et al.  Focusing on context in network traffic analysis , 2006, IEEE Computer Graphics and Applications.

[28]  Kavé Salamatian,et al.  Anomaly extraction in backbone networks using association rules , 2009, IMC '09.

[29]  Fernando Silveira,et al.  Challenging the supremacy of traffic matrices in anomaly detection , 2007, IMC '07.

[30]  Ramesh Govindan,et al.  Detection and identification of network anomalies using sketch subspaces , 2006, IMC '06.

[31]  Ali A. Ghorbani,et al.  A Comparative Study of Unsupervised Machine Learning and Data Mining Techniques for Intrusion Detection , 2007, MLDM.

[32]  John McHugh,et al.  Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory , 2000, TSEC.

[33]  Jean-Loup Guillaume,et al.  Fast unfolding of communities in large networks , 2008, 0803.0476.

[34]  Michalis Faloutsos,et al.  Internet traffic classification demystified: myths, caveats, and the best practices , 2008, CoNEXT '08.

[35]  Daniel A. Keim,et al.  Large-Scale Network Monitoring for Visual Analysis of Attacks , 2008, VizSEC.

[36]  William Yurcik,et al.  Closing-the-loop in NVisionIP: integrating discovery and search in security visualizations , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[37]  Kensuke Fukuda,et al.  A Hough-transform-based anomaly detector with an adaptive time interval , 2011, SAC '11.

[38]  David J. Buttler,et al.  Encyclopedia of Data Warehousing and Mining Second Edition , 2008 .

[39]  Richard Lippmann,et al.  The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[40]  Ramakrishnan Srikant,et al.  Fast Algorithms for Mining Association Rules in Large Databases , 1994, VLDB.

[41]  Philippe Owezarski A Database of Anomalous Traffic for Assessing Profile Based IDS , 2010, TMA.

[42]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[43]  Barry Irwin,et al.  Using InetVis to Evaluate Snort and Bro Scan Detection on a Network Telescope , 2007, VizSEC.

[44]  P.E. Hart,et al.  How the Hough transform was invented [DSP History] , 2009, IEEE Signal Processing Magazine.

[45]  Christopher J. Merz,et al.  Using Correspondence Analysis to Combine Classifiers , 1999, Machine Learning.

[46]  Hiroshi Esaki,et al.  An Automatic and Dynamic Parameter Tuning of a Statistics-Based Anomaly Detection Algorithm , 2009, 2009 IEEE International Conference on Communications.

[47]  Sally Floyd,et al.  Difficulties in simulating the internet , 2001, TNET.

[48]  A. L. Narasimha Reddy,et al.  A study of analyzing network traffic as images in real-time , 2005, Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies..

[49]  Tilman Wolf,et al.  Accurate anomaly detection through parallelism , 2009, IEEE Network.

[50]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[51]  Ali A. Ghorbani,et al.  A detailed analysis of the KDD CUP 99 data set , 2009, 2009 IEEE Symposium on Computational Intelligence for Security and Defense Applications.

[52]  Anirban Mahanti,et al.  A Longitudinal Study of Small-Time Scaling Behavior of Internet Traffic , 2010, Networking.

[53]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[54]  Kensuke Fukuda,et al.  Estimating Speed of Scanning Activities with a Hough Transform , 2010, 2010 IEEE International Conference on Communications.

[55]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[56]  Jennifer Rexford,et al.  WebClass: adding rigor to manual labeling of traffic anomalies , 2008, CCRV.

[57]  Ramesh Govindan,et al.  ASTUTE: detecting a different class of traffic anomalies , 2010, SIGCOMM '10.

[58]  Kuai Xu,et al.  Internet Traffic Behavior Profiling for Network Security Monitoring , 2008, IEEE/ACM Transactions on Networking.

[59]  Hayder Radha,et al.  An Information-Theoretic Combining Method for Multi-Classifier Anomaly Detection Systems , 2010, 2010 IEEE International Conference on Communications.

[60]  Michalis Faloutsos,et al.  BLINC: multilevel traffic classification in the dark , 2005, SIGCOMM '05.

[61]  Vinod Yegneswaran,et al.  Characteristics of internet background radiation , 2004, IMC '04.

[62]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[63]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[64]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[65]  M. F.,et al.  Bibliography , 1985, Experimental Gerontology.

[66]  Santo Fortunato,et al.  Community detection in graphs , 2009, ArXiv.

[67]  Azriel Rosenfeld,et al.  Picture Processing by Computer , 1969, CSUR.