Adaptive sampling strategy for accurate and scalable anomaly detection in NGMN

Integration of disparate access networks in Next Generation Mobile Networks (NGMN) introduces several implementation issues to the quality of service (QoS) and security aspects. The large amount of generated traffic in the network imposes scalability issue which significantly affects the performance of traffic measurement and anomaly detection. While the use of sampling is capable of addressing the scalability problem, the incompleteness of sampled traffic statistics has led to inaccurate traffic inferences, thereby reducing the effectiveness of anomaly detection. In this paper, we address these issues by proposing an adaptive sampling strategy which is capable of providing necessary traffic statistics for accurate and scalable NGMN anomaly detection. The sampling strategy utilizes frequency domain analysis to determine the severity level of the traffic. Together with the flow sizes, these two parameters constitute the formulation of the sampling decision. While the accuracy parameter is composed by the traffic behavior, the scalability issue is addressed by ensuring optimal utilization of the memory cache. Performance evaluation indicates that the proposed technique is capable of providing complete traffic statistics for detecting malicious traffic and also improves the scalability problem in the network.

[1]  N. Lomb Least-squares frequency analysis of unequally spaced data , 1976 .

[2]  A. Jamalipour,et al.  Detection of DoS and DDoS attacks in NGMN using frequency domain analysis , 2008, 2008 14th Asia-Pacific Conference on Communications.

[3]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM.

[4]  Kang G. Shin,et al.  Change-point monitoring for the detection of DoS attacks , 2004, IEEE Transactions on Dependable and Secure Computing.

[5]  Carsten Lund,et al.  Properties and prediction of flow statistics from sampled packet streams , 2002, IMW '02.

[6]  Hui Zang,et al.  Is sampled data sufficient for anomaly detection? , 2006, IMC '06.

[7]  Carsten Lund,et al.  Estimating flow distributions from sampled flow statistics , 2005, TNET.

[8]  Abbas Jamalipour,et al.  On designing issues of the next generation mobile network , 2007, IEEE Network.

[9]  Martin May,et al.  Impact of packet sampling on anomaly detection metrics , 2006, IMC '06.

[10]  Hui Zang,et al.  Impact of Packet Sampling on Portscan Detection , 2006, IEEE Journal on Selected Areas in Communications.

[11]  Nicolas Hohn,et al.  Inverting sampled traffic , 2003, IEEE/ACM Transactions on Networking.