Portscan Detection with Sampled NetFlow

Authors:
Ignasi Paredes-Oliva;Pere Barlet-Ros;Josep Solé-Pareta
Affiliations:
Computer Architecture Dept., Universitat Politècnica de Catalunya (UPC), Barcelona, Spain 08034;Computer Architecture Dept., Universitat Politècnica de Catalunya (UPC), Barcelona, Spain 08034;Computer Architecture Dept., Universitat Politècnica de Catalunya (UPC), Barcelona, Spain 08034
Venue:
TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis
Year:
2009

Citing 6
Cited 6

Bro: a system for detecting network intruders in real-time

Computer Networks: The International Journal of Computer and Telecommunications Networking
New directions in traffic measurement and accounting: Focusing on the elephants, ignoring the mice

ACM Transactions on Computer Systems (TOCS)
Snort - Lightweight Intrusion Detection for Networks

LISA '99 Proceedings of the 13th USENIX conference on System administration
Impact of packet sampling on anomaly detection metrics

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Impact of Packet Sampling on Portscan Detection

IEEE Journal on Selected Areas in Communications

Analysis of the impact of sampling on NetFlow traffic classification

Computer Networks: The International Journal of Computer and Telecommunications Networking
Machine learning approach for IP-flow record anomaly detection

NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
Digging into ip flow records with a visual kernel method

CISIS'11 Proceedings of the 4th international conference on Computational intelligence in security for information systems
Detecting anomalies in netflow record time series by using a kernel function

AIMS'12 Proceedings of the 6th IFIP WG 6.6 international autonomous infrastructure, management, and security conference on Dependable Networks and Services
Exploiting packet-sampling measurements for traffic characterization and classification

International Journal of Network Management
Efficient multidimensional aggregation for large scale monitoring

lisa'12 Proceedings of the 26th international conference on Large Installation System Administration: strategies, tools, and techniques

Quantified Score

Hi-index	0.00

Visualization

Abstract

Sampling techniques are often used for traffic monitoring in high-speed links in order to avoid saturation of network resources. Although there is a wide existing research dealing with anomaly detection, few studies analyzed the impact of sampling on the performance of portscan detection algorithms. In this paper, we performed several experiments on two already existing portscan detection mechanisms to test whether they are robust enough to different sampling techniques. Unlike previous works, we found that flow sampling is not always better than packet sampling to continue detecting portscans reliably.