Traffic anomaly detection and characterization in the tunisian national university network

Authors:
Khadija Houerbi Ramah;Hichem Ayari;Farouk Kamoun
Affiliations:
Ecole d’Aviation Borj El Amri;CRISTAL laboratory, École Nationale des Sciences de l’Informatique, University of Manouba, Manouba, Tunisia;CRISTAL laboratory, École Nationale des Sciences de l’Informatique, University of Manouba, Manouba, Tunisia
Venue:
NETWORKING'06 Proceedings of the 5th international IFIP-TC6 conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems
Year:
2006

Citing 12
Cited 3

An Intrusion-Detection Model

IEEE Transactions on Software Engineering - Special issue on computer security and privacy
Characteristics of network traffic flow anomalies

IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Code-Red: a case study on the spread and victims of an internet worm

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Internet intrusions: global characteristics and prevalence

SIGMETRICS '03 Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Inside the Slammer Worm

IEEE Security and Privacy
Characteristics of internet background radiation

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
On scalable attack detection in the network

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Characterization of network-wide anomalies in traffic flows

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Aberrant Behavior Detection in Time Series for Network Monitoring

LISA '00 Proceedings of the 14th USENIX conference on System administration
Inferring internet denial-of-service activity

SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
PISA: automatic extraction of traffic signatures

NETWORKING'05 Proceedings of the 4th IFIP-TC6 international conference on Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communication Systems

Traffic flooding attack detection with SNMP MIB using SVM

Computer Communications
Traffic growth analysis over three years in enterprise networks

APCC'09 Proceedings of the 15th Asia-Pacific conference on Communications
An in-depth analysis on traffic flooding attacks detection and system using data mining techniques

Journal of Systems Architecture: the EUROMICRO Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

Traffic anomalies are characterized by unusual and significant changes in a network traffic behavior. They can be malicious or unintentional. Malicious traffic anomalies can be caused by attacks, abusive network usage and worms or virus propagations. However unintentional ones can be caused by failures, flash crowds or router misconfigurations. In this paper, we present an anomaly detection system derived from the anomaly detection schema presented by Mei-Ling Shyu in [12] and based on periodic SNMP data collection. We have evaluated this system against some common attacks and found that some (Smurf, Sync flood) are better detected than others (Scan). Then we have made use of this system in order to detect traffic anomalies in the Tunisian National University Network (TNUN). For this, we have collected network traffic traces from the Management Information Base MIB of the central firewall of the TNUN network. After that, we calculated the inter-anomaly times distribution and the anomaly durations distribution. We showed that anomalies were prevalent in the TNUN network and that most anomalies lasted less than five minutes.