Towards efficient flow sampling technique for anomaly detection

Authors:
Karel Bartos;Martin Rehak
Affiliations:
Faculty of Electrical Engineering, Czech Technical University, Prague, Czech Republic;Faculty of Electrical Engineering, Czech Technical University, Prague, Czech Republic
Venue:
TMA'12 Proceedings of the 4th international conference on Traffic Monitoring and Analysis
Year:
2012

Citing 12
Cited 0

New directions in traffic measurement and accounting

Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
Properties and prediction of flow statistics from sampled packet streams

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Building a better NetFlow

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Estimating flow distributions from sampled flow statistics

IEEE/ACM Transactions on Networking (TON)
Inverting sampled traffic

IEEE/ACM Transactions on Networking (TON)
Is sampled data sufficient for anomaly detection?

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Reducing unwanted traffic in a backbone network

SRUTI'05 Proceedings of the Steps to Reducing Unwanted Traffic on the Internet on Steps to Reducing Unwanted Traffic on the Internet Workshop
Adaptive Multiagent System for Network Traffic Monitoring

IEEE Intelligent Systems
Network anomaly detection and classification via opportunistic sampling

IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

ACM SIGCOMM Computer Communication Review

Quantified Score

Hi-index	0.00

Visualization

Abstract

With increasing amount of network traffic, sampling techniques have become widely employed allowing monitoring and analysis of high-speed network links. Despite of all benefits, sampling methods negatively influence the accuracy of anomaly detection techniques and other subsequent processing. In this paper, we present an adaptive, feature-aware sampling technique that reduces the loss of information bounded with the sampling process, thus minimizing the decrease of anomaly detection efficiency. To verify the optimality of our proposed technique, we build a model of the ideal sampling algorithm and define general metrics allowing us to compute the distortion of traffic feature distribution for various types of sampling algorithms. We compare our technique with random flow sampling and reveal their impact on several anomaly detection methods by using real network traffic data. The presented ideas can be applied on high-speed network links to refine the input data by suppressing highly-redundant information.