A Study on Detecting Network Anomalies Using Sampled Flow Statistics

Authors:
Ryoichi Kawahara;Tatsuya Mori;Noriaki Kamiyama;Shigeaki Harada;Shoichiro Asano
Affiliations:
NTT Corporation, Japan;NTT Corporation, Japan;NTT Corporation, Japan;NTT Corporation, Japan;National Institute of Informatics, Japan
Venue:
SAINT-W '07 Proceedings of the 2007 International Symposium on Applications and the Internet Workshops
Year:
2007

Citing 0
Cited 4

Detection of Leaps/sLumps in Traffic Volume of Internet Backbone

APNOMS '08 Proceedings of the 11th Asia-Pacific Symposium on Network Operations and Management: Challenges for Next Generation Network Operations and Service Management
Maximum likelihood estimation of the flow size distribution tail index from sampled packet data

Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems
A scalable, efficient and informative approach for anomaly-based intrusion detection systems: theory and practice

International Journal of Network Management
Detection accuracy of network anomalies using sampled flow statistics

International Journal of Network Management

Quantified Score

Hi-index	0.00

Visualization

Abstract

We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become dificult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies. We also show the effectiveness of the partitioning method using network measurement data.