Three levels network analysis for anomaly detection

Authors:
Bruno B. Zarpelão;Leonardo S. Mendes;Mario L. Proença;Joel J. P. C. Rodrigues
Affiliations:
School of Electrical and Computer Engineering, University of Campinas, Campinas, SP, Brazil;School of Electrical and Computer Engineering, University of Campinas, Campinas, SP, Brazil;Computer Science Department, State University of Londrina, Londrina, PR, Brazil;Instituto de Telecomunicações, University of Beira Interior, Covilhã, Portugal
Venue:
SoftCOM'09 Proceedings of the 17th international conference on Software, Telecommunications and Computer Networks
Year:
2009

Citing 9
Cited 0

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
SNMP,SNMPV2,Snmpv3,and RMON 1 and 2

SNMP,SNMPV2,Snmpv3,and RMON 1 and 2
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Sensitivity of PCA for traffic anomaly detection

Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
An overview of anomaly detection techniques: Existing solutions and latest technological trends

Computer Networks: The International Journal of Computer and Telecommunications Networking
Statistical techniques for detecting traffic anomalies through packet header data

IEEE/ACM Transactions on Networking (TON)
Network anomaly detection and classification via opportunistic sampling

IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Anomaly detection in IP networks

IEEE Transactions on Signal Processing

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly detection is fundamental to ensure reliability and security in computer networks. In this work, it is proposed an anomaly detection system that monitors the network in three different levels. In the first one, data is collected from Simple Network Management Protocol (SNMP) objects and compared to profiles of normal traffic, in order to detect behavior changes. Second level of analysis includes a dependency graph that represents the relationships between SNMP objects. It is used to analyze first level alerts, confirming the occurrence of anomalies in device level. In the third level of analysis, second level alerts are grouped according to network topology information, and network administrators are informed about the context where the anomaly occurred. Tests were performed in a real network environment and good results were obtained.