Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The risk-utility tradeoff for IP address truncation
Proceedings of the 1st ACM workshop on Network data anonymization
A Sampling Method for Intrusion Detection System
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
Portscan Detection with Sampled NetFlow
TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis
Network anomaly detection and classification via opportunistic sampling
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Forecasting-based sampling decision for accurate and scalable anomaly detection
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
On accurate and scalable anomaly detection in next generation mobile network
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
On mitigating sampling-induced accuracy loss in traffic anomaly detection systems
ACM SIGCOMM Computer Communication Review
Computer Networks: The International Journal of Computer and Telecommunications Networking
Analysis of the impact of sampling on NetFlow traffic classification
Computer Networks: The International Journal of Computer and Telecommunications Networking
A practical approach to portscan detection in very high-speed links
PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Efficient packet sampling for accurate traffic measurements
Computer Networks: The International Journal of Computer and Telecommunications Networking
The Journal of Supercomputing
Information Sciences: an International Journal
Hi-index | 0.07 |
Packet sampling is commonly deployed in high-speed backbone routers to minimize resources used for network monitoring. It is known that packet sampling distorts traffic statistics and its impact has been extensively studied for traffic engineering metrics such as flow size and mean rate. However, it is unclear how packet sampling impacts anomaly detection, which has become increasingly critical to network providers. This paper is the first attempt to address this question by focusing on one common class of nonvolume-based anomalies, portscans, which are associated with worm/virus propagation. Existing portscan detection algorithms fall into two general approaches: target-specific and traffic profiling. We evaluated representative algorithms for each class, namely: 1) TRWSYN that performs stateful traffic analysis; 2) TAPS that tracks connection pattern of scanners; and 3) entropy-based traffic profiling. We applied these algorithms to detect portscans in both the original and sampled packet traces from a Tier-1 provider's backbone network. Our results demonstrate that sampling introduces fundamental bias that degrades the effectiveness of these detection algorithms and dramatically increases false positives. Through both experiments and analysis, we identify the traffic features critical for anomaly detection that are affected by sampling. Finally, using insight gained from this study, we show how portscan algorithms can be enhanced to be more robust to sampling