On the combined use of sketches and CUSUM for Anomaly Detection

Anomaly-based Intrusion Detection is a key research topic in network security due to its ability to face unknown attacks and new security threats. Moreover, new solutions should cope with scalability issues derived from the growth of the Internet traffic. To this aim random aggregation through the use of sketches represents a powerful prefiltering stage that can be applied to backbone data traffic with a performance improvement wrt traditional static aggregations at subnet level. In the paper we apply the CUSUM algorithm at the bucket level to reveal the presence of anomalies in the current data and, in order to improve the detection rate, we correlate the data corresponding to traffic flows aggregation based on different fields of the network and transport level headers. As a side effect, the correlation procedure gives some hints on the typology of the intrusions since different attacks determine the variability of the statistics associated to specific header fields. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed approach, confirming the goodness of CUSUM as a change-point detection algorithm.

[1]  Osman Salem,et al.  A scalable, efficient and informative approach for anomaly‐based intrusion detection systems: theory and practice , 2010, Int. J. Netw. Manag..

[2]  Christian Callegari,et al.  A Methodological Overview on Anomaly Detection , 2013, Data Traffic Monitoring and Analysis.

[3]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[4]  S. Muthukrishnan,et al.  Data streams: algorithms and applications , 2005, SODA '03.

[5]  Graham Cormode,et al.  An improved data stream summary: the count-min sketch and its applications , 2004, J. Algorithms.

[6]  Guanhua Yan,et al.  Blue-Watchdog: Detecting Bluetooth worm propagation in public areas , 2009, 2009 IEEE/IFIP International Conference on Dependable Systems & Networks.

[7]  Ilkka Nomos On the Use of Fractional Brownian Motion in the Theory of Connectionless Networks , 1995 .

[8]  Jian Kang,et al.  Application Entropy Theory to Detect New Peer-to-Peer Botnet with Multi-chart CUSUM , 2009, 2009 Second International Symposium on Electronic Commerce and Security.

[9]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[10]  Yan Chen,et al.  Reversible sketches for efficient and accurate change detection over network data streams , 2004, IMC '04.

[11]  Christian Callegari,et al.  Forecasting the Distribution of Network Traffic for Anomaly Detection , 2011, 2011IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications.

[12]  Rudolf B. Blazek,et al.  Detection of intrusions in information systems by sequential change-point methods , 2005 .

[13]  Marina Thottan,et al.  Anomaly Detection Approaches for Communication Networks , 2010, Algorithms for Next Generation Networks.

[14]  Athanasios V. Vasilakos,et al.  DTRAB: Combating Against Attacks on Encrypted Protocols Through Traffic-Feature Analysis , 2010, IEEE/ACM Transactions on Networking.

[15]  Patrick P. C. Lee,et al.  On the detection of signaling DoS attacks on 3G/WiMax wireless networks , 2009, Comput. Networks.

[16]  Kensuke Fukuda,et al.  MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking , 2010, CoNEXT.

[17]  Divesh Srivastava,et al.  Holistic UDAFs at streaming speeds , 2004, SIGMOD '04.

[18]  Ilkka Norros,et al.  On the Use of Fractional Brownian Motion in the Theory of Connectionless Networks , 1995, IEEE J. Sel. Areas Commun..

[19]  Giovanni Vigna,et al.  Intrusion detection: a brief history and overview , 2002 .

[20]  Christian Callegari,et al.  When randomness improves the anomaly detection performance , 2010, 2010 3rd International Symposium on Applied Sciences in Biomedical and Communication Technologies (ISABEL 2010).

[21]  Kang G. Shin,et al.  SYN-dog: sniffing SYN flooding sources , 2002, Proceedings 22nd International Conference on Distributed Computing Systems.

[22]  Andrew Clark,et al.  Effective Change Detection in Large Repositories of Unsolicited Traffic , 2009, 2009 Fourth International Conference on Internet Monitoring and Protection.

[23]  Mikkel Thorup,et al.  Tabulation based 4-universal hashing with applications to second moment estimation , 2004, SODA '04.

[24]  Christian Callegari,et al.  Histogram cloning and CuSum: An experimental comparison between different approaches to Anomaly Detection , 2015, 2015 International Symposium on Performance Evaluation of Computer and Telecommunication Systems (SPECTS).

[25]  Philippe Flajolet,et al.  Probabilistic Counting Algorithms for Data Base Applications , 1985, J. Comput. Syst. Sci..