Anomaly extraction in backbone networks using association rules

Authors:
Daniela Brauckhoff;Xenofontas Dimitropoulos;Arno Wagner;Kavé Salamatian
Affiliations:
Computing Department, ETH Zurich, Zurich, Switzerland;Department of Information Technology and Electrical Engineering, ETH Zurich, Zurich, Switzerland;Computing Department, ETH Zurich, Zurich, Switzerland;LISTIC PolyTech, Université de Savoie Chambery Annecy, Annecy le Vieux Cedex, France
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2012

Citing 30
Cited 1

Testing Intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by Lincoln Laboratory

ACM Transactions on Information and System Security (TISSEC)
Scalable Algorithms for Association Mining

IEEE Transactions on Knowledge and Data Engineering
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Fast Algorithms for Mining Association Rules in Large Databases

VLDB '94 Proceedings of the 20th International Conference on Very Large Data Bases
Automatically inferring patterns of resource consumption in network traffic

Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Sketch-based change detection: methods, evaluation, and applications

Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Learning Rules for Anomaly Detection of Hostile Network Traffic

ICDM '03 Proceedings of the Third IEEE International Conference on Data Mining
Diagnosing network-wide traffic anomalies

Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Online identification of hierarchical heavy hitters: algorithms, evaluation, and applications

Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
An improved data stream summary: the count-min sketch and its applications

Journal of Algorithms
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Introduction to Data Mining, (First Edition)

Introduction to Data Mining, (First Edition)
Entropy Based Worm and Anomaly Detection in Fast IP Networks

WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
What's new: finding significant differences in network data streams

IEEE/ACM Transactions on Networking (TON)
Detection and identification of network anomalies using sketch subspaces

Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Combining filtering and statistical methods for anomaly detection

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Detecting anomalies in network traffic using maximum entropy estimation

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Data mining approaches for intrusion detection

SSYM'98 Proceedings of the 7th conference on USENIX Security Symposium - Volume 7
Frequent pattern mining: current status and future directions

Data Mining and Knowledge Discovery
Summarization – compressing data into an informative representation

Knowledge and Information Systems
Finding hierarchical heavy hitters in streaming data

ACM Transactions on Knowledge Discovery from Data (TKDD)
Extracting hidden anomalies using sketch and non Gaussian multiresolution statistical detection procedures

Proceedings of the 2007 workshop on Large scale attack defense
What's going on?: learning communication rules in edge networks

Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Scan Surveillance in Internet Networks

NETWORKING '09 Proceedings of the 8th International IFIP-TC 6 Networking Conference
Anomaly extraction in backbone networks using association rules

Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Complexity analysis of depth first and FP-growth implementations of APRIORI

MLDM'03 Proceedings of the 3rd international conference on Machine learning and data mining in pattern recognition
A two-layered anomaly detection technique based on multi-modal flow behavior models

PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
URCA: pulling out anomalies by their root causes

INFOCOM'10 Proceedings of the 29th conference on Information communications
Mining frequent patterns from network flows for monitoring network

Expert Systems with Applications: An International Journal
Histogram-based traffic anomaly detection

IEEE Transactions on Network and Service Management

Topology-Aware Correlated Network Anomaly Event Detection and Diagnosis

Journal of Network and Systems Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

Anomaly extraction refers to automatically finding, in a large set of flows observed during an anomalous time interval, the flows associated with the anomalous event(s). It is important for root-cause analysis, network forensics, attack mitigation, and anomaly modeling. In this paper, we use meta-data provided by several histogram-based detectors to identify suspicious flows, and then apply association rule mining to find and summarize anomalous flows. Using rich traffic data from a backbone network, we show that our technique effectively finds the flows associated with the anomalous event(s) in all studied cases. In addition, it triggers a very small number of false positives, on average between 2 and 8.5, which exhibit specific patterns and can be trivially sorted out by an administrator. Our anomaly extraction method significantly reduces the work-hours needed for analyzing alarms, making anomaly detection systems more practical.