Anomaly extraction in backbone networks using association rules

Authors:
Daniela Brauckhoff;Xenofontas Dimitropoulos;Arno Wagner;Kavè Salamatian
Affiliations:
ETH Zurich, Zurich, Switzerland;ETH Zurich, Zurich, Switzerland;ETH Zurich, Zurich, Switzerland;Lancaster University, Lancaster, United Kingdom
Venue:
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Year:
2009

Citing 19
Cited 25

Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Fast Algorithms for Mining Association Rules in Large Databases

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Sketch-based change detection: methods, evaluation, and applications

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Learning Rules for Anomaly Detection of Hostile Network Traffic

ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Entropy Based Worm and Anomaly Detection in Fast IP Networks

WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Detection and identification of network anomalies using sketch subspaces

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Combining filtering and statistical methods for anomaly detection

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Detecting anomalies in network traffic using maximum entropy estimation

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Summarization – compressing data into an informative representation

Knowledge and Information Systems
Finding hierarchical heavy hitters in streaming data

ACM Transactions on Knowledge Discovery from Data (TKDD)
Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Proceedings of the 2007 workshop on Large scale attack defense
What's going on?: learning communication rules in edge networks

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
A two-layered anomaly detection technique based on multi-modal flow behavior models

PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
Histogram-based traffic anomaly detection

IEEE Transactions on Network and Service Management

ASTUTE: detecting a different class of traffic anomalies

Proceedings of the ACM SIGCOMM 2010 conference
Automating root-cause analysis of network anomalies using frequent itemset mining

Proceedings of the ACM SIGCOMM 2010 conference
An evaluation of automatic parameter tuning of a statistics-based anomaly detection algorithm

International Journal of Network Management
Listen to me if you can: tracking user experience of mobile network on social media

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Temporally oblivious anomaly detection on large networks using functional peers

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
What happened in my network: mining network events from router syslogs

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
MAWILab: combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking

Proceedings of the 6th International COnference
SEPIA: privacy-preserving aggregation of multi-domain network events and statistics

USENIX Security'10 Proceedings of the 19th USENIX conference on Security
A Hough-transform-based anomaly detector with an adaptive time interval

Proceedings of the 2011 ACM Symposium on Applied Computing
Anomaly localization for network data streams with graph joint sparse PCA

Proceedings of the 17th ACM SIGKDD international conference on Knowledge discovery and data mining
A Hough-transform-based anomaly detector with an adaptive time interval

ACM SIGAPP Applied Computing Review
Privacy-preserving distributed network troubleshooting—bridging the gap between theory and practice

ACM Transactions on Information and System Security (TISSEC)
Flooding attacks detection in backbone traffic using power divergence

Proceedings of the 7th ACM workshop on Performance monitoring and measurement of heterogeneous wireless and wired networks
Classifying internet one-way traffic

Proceedings of the 2012 ACM conference on Internet measurement conference
Improving an SVD-based combination strategy of anomaly detectors for traffic labelling

Proceedings of the Asian Internet Engineeering Conference
Assessing the quality of packet-level traces collected on internet backbone links

NordSec'12 Proceedings of the 17th Nordic conference on Secure IT Systems
Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis

Proceedings of the 28th Annual Computer Security Applications Conference
Anomaly extraction in backbone networks using association rules

IEEE/ACM Transactions on Networking (TON)
ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches

Computer Communications
Juggling the Jigsaw: towards automated problem inference from network trouble tickets

nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
K-sparse approximation for traffic histogram dimensionality reduction

Proceedings of the 8th International Conference on Network and Service Management
Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks

Proceedings of the 29th Annual Computer Security Applications Conference
FaRNet: Fast recognition of high-dimensional patterns from big network traffic data

Computer Networks: The International Journal of Computer and Telecommunications Networking
Data summarization for network traffic monitoring

Journal of Network and Computer Applications
Visualizing big network traffic data using frequent pattern mining and hypergraphs

Computing

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly extraction is an important problem essential to several applications ranging from root cause analysis, to attack mitigation, and testing anomaly detectors. Anomaly extraction is preceded by an anomaly detection step, which detects anomalous events and may identify a large set of possible associated event flows. The goal of anomaly extraction is to find and summarize the set of flows that are effectively caused by the anomalous event. In this work, we use meta-data provided by several histogram-based detectors to identify suspicious flows and then apply association rule mining to find and summarize the event flows. Using rich traffic data from a backbone network (SWITCH/AS559), we show that we can reduce the classification cost, in terms of items (flows or rules) that need to be classified, by several orders of magnitude. Further, we show that our techniques effectively isolate event flows in all analyzed cases and that on average trigger between 2 and 8.5 false positives, which can be trivially sorted out by an administrator.