Characteristics of network traffic flow anomalies
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Practical automated detection of stealthy portscans
Journal of Computer Security
New directions in traffic measurement and accounting
Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Properties and prediction of flow statistics from sampled packet streams
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Estimating flow distributions from sampled flow statistics
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Anomaly detection in IP networks
IEEE Transactions on Signal Processing
Packet-level traffic measurements from the Sprint IP backbone
IEEE Network: The Magazine of Global Internetworking
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Challenging the supremacy of traffic matrices in anomaly detection
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
A generic language for application-specific flow sampling
ACM SIGCOMM Computer Communication Review
Confident estimation for multistage measurement sampling and aggregation
SIGMETRICS '08 Proceedings of the 2008 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
CSAMP: a system for network-wide flow monitoring
NSDI'08 Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation
Unconstrained endpoint profiling (googling the internet)
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
High-Performance Agent System for Intrusion Detection in Backbone Networks
CIA '07 Proceedings of the 11th international workshop on Cooperative Information Agents XI
Collaborative Attack Detection in High-Speed Networks
CEEMAS '07 Proceedings of the 5th international Central and Eastern European conference on Multi-Agent Systems and Applications V
Fast monitoring of traffic subpopulations
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
A Space-Efficient Fair Packet Sampling Algorithm
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
A Sampling Method for Intrusion Detection System
APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
Portscan Detection with Sampled NetFlow
TMA '09 Proceedings of the First International Workshop on Traffic Monitoring and Analysis
Traffic monitor deployment in IP networks
Computer Networks: The International Journal of Computer and Telecommunications Networking
How to keep your head above water while detecting errors
Proceedings of the 10th ACM/IFIP/USENIX International Conference on Middleware
Survey of SNMP performance analysis studies
International Journal of Network Management
Network anomaly detection and classification via opportunistic sampling
IEEE Network: The Magazine of Global Internetworking - Special issue title on recent developments in network intrusion detection
Survey on traffic of metro area network with measurement on-line
ITC20'07 Proceedings of the 20th international teletraffic conference on Managing traffic performance in converged networks
How to keep your head above water while detecting errors
Middleware'09 Proceedings of the ACM/IFIP/USENIX 10th international conference on Middleware
Googling the internet: profiling internet endpoints via the world wide web
IEEE/ACM Transactions on Networking (TON)
On mitigating sampling-induced accuracy loss in traffic anomaly detection systems
ACM SIGCOMM Computer Communication Review
Computer Networks: The International Journal of Computer and Telecommunications Networking
A signal processing view on packet sampling and anomaly detection
INFOCOM'10 Proceedings of the 29th conference on Information communications
Measurouting: a framework for routing assisted traffic monitoring
INFOCOM'10 Proceedings of the 29th conference on Information communications
ASTUTE: detecting a different class of traffic anomalies
Proceedings of the ACM SIGCOMM 2010 conference
International Journal of Network Management
Toward credible evaluation of anomaly-based intrusion-detection methods
IEEE Transactions on Systems, Man, and Cybernetics, Part C: Applications and Reviews
Revisiting the case for a minimalist approach for network flow monitoring
IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Dynamic feature analysis and measurement for large-scale network traffic monitoring
IEEE Transactions on Information Forensics and Security
Analysis of the impact of sampling on NetFlow traffic classification
Computer Networks: The International Journal of Computer and Telecommunications Networking
Monitoring abnormal network traffic based on blind source separation approach
Journal of Network and Computer Applications
Automating network monitoring on experimental testbeds
CSET'11 Proceedings of the 4th conference on Cyber security experimentation and test
Hardware Precomputation of Entropy for Anomaly Detection
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
Streaming Solutions for Fine-Grained Network Traffic Measurements and Analysis
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
A Passive Network Appliance for Real-Time Network Monitoring
Proceedings of the 2011 ACM/IEEE Seventh Symposium on Architectures for Networking and Communications Systems
MeasuRouting: a framework for routing assisted traffic monitoring
IEEE/ACM Transactions on Networking (TON)
Revisiting traffic anomaly detection using software defined networking
RAID'11 Proceedings of the 14th international conference on Recent Advances in Intrusion Detection
Detection accuracy of network anomalies using sampled flow statistics
International Journal of Network Management
Towards efficient flow sampling technique for anomaly detection
TMA'12 Proceedings of the 4th international conference on Traffic Monitoring and Analysis
Exploiting packet-sampling measurements for traffic characterization and classification
International Journal of Network Management
Disclosure: detecting botnet command and control servers through large-scale NetFlow analysis
Proceedings of the 28th Annual Computer Security Applications Conference
Computer Networks: The International Journal of Computer and Telecommunications Networking
Software defined traffic measurement with OpenSketch
nsdi'13 Proceedings of the 10th USENIX conference on Networked Systems Design and Implementation
FleXam: flexible sampling extension for monitoring and security applications in openflow
Proceedings of the second ACM SIGCOMM workshop on Hot topics in software defined networking
Modeling residual-geometric flow sampling
IEEE/ACM Transactions on Networking (TON)
A scalable network forensics mechanism for stealthy self-propagating attacks
Computer Communications
An adaptive flow counting method for anomaly detection in SDN
Proceedings of the ninth ACM conference on Emerging networking experiments and technologies
On effective sampling techniques in host-based intrusion detection in tactical MANET
International Journal of Security and Networks
| Hi-index | 0.00 |
Sampling techniques are widely used for traffic measurements at high link speed to conserve router resources. Traditionally, sampled traffic data is used for network management tasks such as traffic matrix estimations, but recently it has also been used in numerous anomaly detection algorithms, as security analysis becomes increasingly critical for network providers. While the impact of sampling on traffic engineering metrics such as flow size and mean rate is well studied, its impact on anomaly detection remains an open question.This paper presents a comprehensive study on whether existing sampling techniques distort traffic features critical for effective anomaly detection. We sampled packet traces captured from a Tier-1 IP-backbone using four popular methods: random packet sampling, random flow sampling, smart sampling, and sample-and-hold. The sampled data is then used as input to detect two common classes of anomalies: volume anomalies and port scans. Since it is infeasible to enumerate all existing solutions, we study three representative algorithms: a wavelet-based volume anomaly detection and two portscan detection algorithms based on hypotheses testing. Our results show that all the four sampling methods introduce fundamental bias that degrades the performance of the three detection schemes, however the degradation curves are very different. We also identify the traffic features critical for anomaly detection and analyze how they are affected by sampling. Our work demonstrates the need for better measurement techniques, since anomaly detection operates on a drastically different information region, which is often overlooked by existing traffic accounting methods that target heavy-hitters.