论文信息 - Effective Change Detection in Large Repositories of Unsolicited Traffic

Effective Change Detection in Large Repositories of Unsolicited Traffic

When monitoring unsolicited network traffic automated detection and characterization of abrupt changes in the traffics statistical properties is important. These abrupt changes can either be due to a single or multiple anomalous activities taking place at the same time. The start of a new anomalous activity while another anomalous activity is in operation will result in a new change nested within the previous change. Although detection of abrupt changes to identify malicious activities has received considerable attention in the past, automated detection of nested changes has not been addressed. In this paper a dynamic sliding window cumulative sum (CUSUM) algorithm is proposed to automatically identify these nested changes. The novelty of the proposed technique lies in its ability to automatically detect nested changes, without which interesting activities may go undetected, and its effectiveness in identifying both the start and the end of the individual changes. Using an analysis of real network traces, we show that the identified nested changes were indeed due to distinct malicious behaviours taking place in parallel.

[1] Xuxian Jiang,et al. Collapsar: A VM-Based Architecture for Network Attack Detention Center , 2004, USENIX Security Symposium.

[2] George M. Mohay,et al. A Novel Sliding Window Based Change Detection Algorithm for Asymmetric Traffic , 2008, 2008 IFIP International Conference on Network and Parallel Computing.

[3] Alexander G. Tartakovsky,et al. A novel approach to detection of \denial{of{service" attacks via adaptive sequential and batch{sequential change{point detection methods , 2001 .

[4] Vasilios A. Siris,et al. Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[5] Kai Hwang,et al. Collaborative Detection of DDoS Attacks over Multiple Network Domains , 2007, IEEE Transactions on Parallel and Distributed Systems.

[6] Youmin Zhang,et al. A novel variable‐length sliding window blockwise least‐squares algorithm for on‐line estimation of time‐varying parameters , 2004 .

[7] Udo W. Pooch,et al. Computer system and network security , 1995 .

[8] Christopher Leckie,et al. Hitlist Worm Detection using Source IP Address History. , 2006 .

[9] Ming Yu,et al. An adaptive method for anomaly detection in symmetric network traffic , 2007, Comput. Secur..

[10] F. Jahanian,et al. Practical Darknet Measurement , 2006, 2006 40th Annual Conference on Information Sciences and Systems.