Impact of Packet Sampling on Portscan Detection

Authors:
Jianning Mai;A. Sridharan;Chen-Nee Chuah;Hui Zang;Tao Ye
Affiliations:
Dept. of Electr. & Comput. Eng., California Univ., Davis, CA;-;-;-;-
Venue:
IEEE Journal on Selected Areas in Communications
Year:
2006

Citing 0
Cited 14

Impact of packet sampling on anomaly detection metrics

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
The risk-utility tradeoff for IP address truncation

Proceedings of the 1st ACM workshop on Network data anonymization
A Sampling Method for Intrusion Detection System

APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
Portscan Detection with Sampled NetFlow

TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis
Network anomaly detection and classification via opportunistic sampling

IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Forecasting-based sampling decision for accurate and scalable anomaly detection

GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
On accurate and scalable anomaly detection in next generation mobile network

ICC'09 Proceedings of the 2009 IEEE international conference on Communications
On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

ACM SIGCOMM Computer Communication Review
Fast Filtered Sampling

Computer Networks: The International Journal of Computer and Telecommunications Networking
Analysis of the impact of sampling on NetFlow traffic classification

Computer Networks: The International Journal of Computer and Telecommunications Networking
A practical approach to portscan detection in very high-speed links

PAM'11 Proceedings of the 12th international conference on Passive and active measurement
Efficient packet sampling for accurate traffic measurements

Computer Networks: The International Journal of Computer and Telecommunications Networking
An anomaly-based detection in ubiquitous network using the equilibrium state of the catastrophe theory

The Journal of Supercomputing
Anomaly secure detection methods by analyzing dynamic characteristics of the network traffic in cloud communications

Information Sciences: an International Journal

Quantified Score

Hi-index	0.07

Visualization

Abstract

Packet sampling is commonly deployed in high-speed backbone routers to minimize resources used for network monitoring. It is known that packet sampling distorts traffic statistics and its impact has been extensively studied for traffic engineering metrics such as flow size and mean rate. However, it is unclear how packet sampling impacts anomaly detection, which has become increasingly critical to network providers. This paper is the first attempt to address this question by focusing on one common class of nonvolume-based anomalies, portscans, which are associated with worm/virus propagation. Existing portscan detection algorithms fall into two general approaches: target-specific and traffic profiling. We evaluated representative algorithms for each class, namely: 1) TRWSYN that performs stateful traffic analysis; 2) TAPS that tracks connection pattern of scanners; and 3) entropy-based traffic profiling. We applied these algorithms to detect portscans in both the original and sampled packet traces from a Tier-1 provider's backbone network. Our results demonstrate that sampling introduces fundamental bias that degrades the effectiveness of these detection algorithms and dramatically increases false positives. Through both experiments and analysis, we identify the traffic features critical for anomaly detection that are affected by sampling. Finally, using insight gained from this study, we show how portscan algorithms can be enhanced to be more robust to sampling