Parametric Methods for Anomaly Detection in Aggregate Traffic

This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time domain, one can estimate model parameters in real time, thus obviating the need for a long training phase or manual parameter tuning. The proposed bivariate parametric detection mechanism (bPDM) uses a sequential probability ratio test, allowing for control over the false positive rate while examining the tradeoff between detection time and the strength of an anomaly. Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives. The method is analyzed using the bit-rate signal-to-noise ratio (SNR) metric, which is shown to be an effective metric for anomaly detection. The performance of the bPDM is evaluated in three ways. First, synthetically generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic. Second, the approach is shown to be able to detect controlled artificial attacks over the University of Southern California (USC), Los Angeles, campus network in varying real traffic mixes. Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces. The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.

[1]  Kavé Salamatian,et al.  Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[2]  Evan H. Magill,et al.  Service provision : technologies for next generation communications , 2005 .

[3]  A. K. Nandi Higher order statistics for digital signal processing , 1994 .

[4]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[5]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[6]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[7]  S. Kay Fundamentals of statistical signal processing: estimation theory , 1993 .

[8]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[9]  Kang G. Shin,et al.  Detecting SYN flooding attacks , 2002, Proceedings.Twenty-First Annual Joint Conference of the IEEE Computer and Communications Societies.

[10]  Urbashi Mitra,et al.  Remote detection of bottleneck links using spectral and statistical methods , 2009, Comput. Networks.

[11]  U. Mitra,et al.  Detection of low-rate attacks in computer networks , 2008, IEEE INFOCOM Workshops 2008.

[12]  Vasilios A. Siris,et al.  Application of anomaly detection algorithms for detecting SYN flooding attacks , 2004, IEEE Global Telecommunications Conference, 2004. GLOBECOM '04..

[13]  Hongjoong Kim,et al.  A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods , 2006, IEEE Transactions on Signal Processing.

[14]  Bernhard Plattner,et al.  Entropy based worm and anomaly detection in fast IP networks , 2005, 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise (WETICE'05).

[15]  Harry L. Van Trees,et al.  Detection, Estimation, and Modulation Theory, Part I , 1968 .

[16]  Marcus Brunner Basic Internet Technology in Support of Communication Services , 2005 .

[17]  Balachander Krishnamurthy,et al.  Rule-Based Anomaly Detection on IP Flows , 2009, IEEE INFOCOM 2009.

[18]  Kang G. Shin,et al.  Hop-count filtering: an effective defense against spoofed DDoS traffic , 2003, CCS '03.

[19]  Michèle Basseville,et al.  Detection of abrupt changes: theory and application , 1993 .

[20]  George E. Andrews,et al.  The lost notebook and other unpublished papers , 1988 .

[21]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[22]  Cheng Jin,et al.  Defense Against Spoofed IP Traffic Using Hop-Count Filtering , 2007, IEEE/ACM Transactions on Networking.

[23]  HeidemannJohn,et al.  Parametric methods for anomaly detection in aggregate traffic , 2011 .

[24]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[25]  Constantinos Dovrolis,et al.  Beyond the Model of Persistent TCP Flows: Open-Loop vs Closed-Loop Arrivals of Non-persistent Flows , 2008, 41st Annual Simulation Symposium (anss-41 2008).

[26]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[27]  Kai Hwang,et al.  Spectral Analysis of TCP Flows for Defense Against Reduction-of-Quality Attacks , 2007, 2007 IEEE International Conference on Communications.

[28]  Hari Balakrishnan,et al.  Fast portscan detection using sequential hypothesis testing , 2004, IEEE Symposium on Security and Privacy, 2004. Proceedings. 2004.

[29]  M. Melamed Detection , 2021, SETI: Astronomy as a Contact Sport.

[30]  Juan Arturo Nolazco-Flores,et al.  FLF4DoS. Dynamic DDoS Mitigation based on TTL field using fuzzy logic. , 2007, 17th International Conference on Electronics, Communications and Computers (CONIELECOMP'07).

[31]  Kun-Chan Lan,et al.  Generation of high bandwidth network traffic traces , 2002, Proceedings. 10th IEEE International Symposium on Modeling, Analysis and Simulation of Computer and Telecommunications Systems.

[32]  Juanita Ellis,et al.  The Internet Security Guidebook: From Planning to Deployment , 2001 .

[33]  Jean-Yves Le Boudec,et al.  A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models , 2008, PAM.

[34]  John S. Heidemann,et al.  Identification of Repeated Denial of Service Attacks , 2006, Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications.

[35]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[36]  Felix Famoye,et al.  Lagrangian Probability Distributions , 2005 .