Wide-area traffic: the failure of Poisson modeling
SIGCOMM '94 Proceedings of the conference on Communications architectures, protocols and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Estimating flow distributions from sampled flow statistics
IEEE/ACM Transactions on Networking (TON)
Fisher information of sampled packets: an application to flow size estimation
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Combining filtering and statistical methods for anomaly detection
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Early application identification
CoNEXT '06 Proceedings of the 2006 ACM CoNEXT conference
Information and Complexity in Statistical Modeling
Information and Complexity in Statistical Modeling
Detectability of traffic anomalies in two adjacent networks
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Abstracting audit data for lightweight intrusion detection
ICISS'10 Proceedings of the 6th international conference on Information systems security
High-speed web attack detection through extracting exemplars from HTTP traffic
Proceedings of the 2011 ACM Symposium on Applied Computing
Peeling away timing error in netflow data
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Resilience strategies for networked malware detection and remediation
NSS'12 Proceedings of the 6th international conference on Network and System Security
| Hi-index | 0.00 |
Anomaly detection methods typically operate on preprocessed traffic traces. Firstly, most traffic capturing devices today employ random packet sampling, where each packet is selected with a certain probability, to cope with increasing link speeds. Secondly, temporal aggregation, where all packets in a measurement interval are represented by their temporal mean, is applied to transform the traffic trace to the observation timescale of interest for anomaly detection. These preprocessing steps affect the temporal correlation structure of traffic that is used by anomaly detection methods such as Kalman filtering or PCA, and have thus an impact on anomaly detection performance. Prior work has analyzed how packet sampling degrades the accuracy of anomaly detection methods; however, neither theoretical explanations nor solutions to the sampling problem have been provided. This paper makes the following key contributions: (i) It provides a thorough analysis and quantification of how random packet sampling and temporal aggregation modify the signal properties by introducing noise, distortion and aliasing. (ii) We show that aliasing introduced by the aggregation step has the largest impact on the correlation structure. (iii) We further propose to replace the aggregation step with a specifically designed low-pass filter that reduces the aliasing effect. (iv) Finally, we show that with our solution applied, the performance of anomaly detection systems can be considerably improved in the presence of packet sampling.