The need for simulation in evaluating anomaly detectors

Authors:
Haakon Ringberg;Matthew Roughan;Jennifer Rexford
Affiliations:
Princeton University;University of Adelaide;Princeton University
Venue:
ACM SIGCOMM Computer Communication Review
Year:
2008

Citing 16
Cited 17

On the self-similar nature of Ethernet traffic (extended version)

IEEE/ACM Transactions on Networking (TON)
Difficulties in simulating the internet

IEEE/ACM Transactions on Networking (TON)
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Monitoring and early warning for internet worms

Proceedings of the 10th ACM conference on Computer and communications security
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
On scalable attack detection in the network

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
The internet measurement data catalog

ACM SIGCOMM Computer Communication Review
CRAWDAD: A Community Resource for Archiving Wireless Data at Dartmouth

IEEE Pervasive Computing
Network anomography

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Combining filtering and statistical methods for anomaly detection

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Diagnosing network disruptions with network-wide analysis

Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Sensitivity of PCA for traffic anomaly detection

Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
LADS: large-scale automated DDOS detection system

ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
WebClass: adding rigor to manual labeling of traffic anomalies

ACM SIGCOMM Computer Communication Review

WebClass: adding rigor to manual labeling of traffic anomalies

ACM SIGCOMM Computer Communication Review
Large-scale evaluation of distributed attack detection

Proceedings of the 2nd International Conference on Simulation Tools and Techniques
Distributed detection of large-scale attacks in the internet

CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
A Labeled Data Set for Flow-Based Intrusion Detection

IPOM '09 Proceedings of the 9th IEEE International Workshop on IP Operations and Management
Anomaly-based identification of large-scale attacks

GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Collaborative defence as a pervasive service: architectural insights and validation methodologies of a trial deployment

International Journal of Sensor Networks
ASTUTE: detecting a different class of traffic anomalies

Proceedings of the ACM SIGCOMM 2010 conference
Distribution-based anomaly detection in 3G mobile networks: from theory to practice

International Journal of Network Management
Toward credible evaluation of anomaly-based intrusion-detection methods

IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
BasisDetect: a model-based network event detection framework

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking

Proceedings of the 6th International COnference
Simulative evaluation of distributed attack detection in large-scale realistic environments

Simulation
Accurate network anomaly classification with generalized entropy metrics

Computer Networks: The International Journal of Computer and Telecommunications Networking
Collaborative anomaly-based detection of large-scale internet attacks

Computer Networks: The International Journal of Computer and Telecommunications Networking
A database of anomalous traffic for assessing profile based IDS

TMA'10 Proceedings of the Second international conference on Traffic Monitoring and Analysis
Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Proceedings of the Asian Internet Engineeering Conference
Distribution-Based anomaly detection in network traffic

DataTraffic Monitoring and Analysis

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomalous events that affect the performance of networks are a fact of life. It is therefore not surprising that recent years have seen an explosion in research on network anomaly detection. What is quite surprising, however, is the lack of controlled evaluation of these detectors. In this paper we argue that there are numerous important questions regarding the effectiveness of anomaly detectors that cannot be answered by the evaluation techniques employed today. We present four central requirements of a rigorous evaluation that can only be met by simulating both the anomaly and its surrounding environment. While simulation is necessary, it is not sufficient. We therefore present an outline of an evaluation methodology that leverages both simulation and traces from operational networks