research-article

On mitigating sampling-induced accuracy loss in traffic anomaly detection systems

Authors:

Naurin Rasheed,

Syed Ali Khayam,

Fauzan MirzaAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 40, Issue 3

Pages 4 - 16

https://doi.org/10.1145/1823844.1823846

Published: 22 June 2010 Publication History

Abstract

Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates. To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university's network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples.

References

[1]

M. S. Kim, H. J. Kang, S. C. Hung, S. H. Chung, and J. W. Hong, "A Flow-based Method for Abnormal Network Traffic Detection," IEEE/IFIP NOMS, 2004.

[2]

A. Lakhina, M. Crovella, and C. Diot, "Mining Anomalies Using Traffic Feature Distributions," ACM SIGCOMM, 2005.

Digital Library

[3]

Cisco Anomaly Guard Module Homepage, www.cisco.com/en/US/products/ps6235/.

[4]

Arbor Networks Peakflow-X Homepage, http://www.arbornetworks.com/en/peakflow-x.html.

[5]

Endace NinjaBox Homepage, http://www.endace.com/ninjabox.html.

[6]

FireEye Homepage, http://www.fireeye.com/.

[7]

B. Y. Choi, J. Park, and Z. L. Zhang, "Adaptive random sampling for total load estimation," IEEE ICC, 2003.

[8]

N. Duffield, C. Lund, and M. Thorup, "Properties and prediction of flow statistics from sampled packet streams," ACM IMC, 2002.

Digital Library

[9]

N. Duffield, C. Lund, and M. Thorup, "Estimating Flow Distributions from Sampled Flow Statistics," ACM SIGCOMM, 2003.

Digital Library

[10]

N. Hohn and D. Veitch, "Inverting Sampled Traffic," ACM IMC, 2003.

Digital Library

[11]

J. Mai, A. Sridharan, C. N. Chuah, H. Zang, and T. Ye, "Impact of packet sampling on portscan detection," IEEE J. SAC, 24(12):2285--2298, 2006.

[12]

J. Mai, C. N. Chuah, A. Sridharan, T. YE, and H. Zang, "Is sampled data sufficient for anomaly detection?" ACM IMC, 2006.

Digital Library

[13]

G. Androulidakis, V. Chatzigiannakis, S. Papavassiliou, M. Grammatikou, V. Maglaris, "Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques," IEEE MILCOM, 2006.

Digital Library

[14]

D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, A. Lakhina, "Impact of Packet Sampling on Anomaly Detection Metrics," ACM IMC, 2006.

Digital Library

[15]

Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, "PacketScore: Statistics-based Overload Control against Distributed Denial-of-Service Attacks," IEEE INFOCOM, 2004.

[16]

P. E. Ayres, H. Sun, and H. J. Chao, "ALPi: A DDoS Defense System for High-Speed Networks," IEEE J. SAC, 24(10):1864--1876, 2006.

Digital Library

[17]

Y. Gu, A. McCullum, and D. Towsley, "Detecting anomalies in network traffic using maximum entropy estimation," ACM IMC, 2005.

Digital Library

[18]

S. E. Schechter, J. Jung, and A. W. Berger, "Fast detection of scanning worm infections," RAID, 2004.

[19]

M. V. Mahoney and P. K. Chan, "PHAD: Packet Header Anomaly Detection for Indentifying Hostile Network Traffic," Technical Report, Florida Tech., CS-2001--4.

[20]

M. V. Mahoney, "Network traffic anomaly detection based on packet bytes," ACM Symposium on Applied Computing, 2003.

Digital Library

[21]

C. Estan and G. Varghese, "New Directions in Traffic Measurement and Accounting," ACM SIGCOMM, 2002.

Digital Library

[22]

N. Duffield, C. Lund, and M. Thorup, "Properties and Prediction of Flow Statistics from Sampled Packet Streams," ACM IMW, 2002.

Digital Library

[23]

P. Barford, J. Kline, D. Plonka, and A. Ron, "A Signal Analysis of Network Traffic Anomalies," ACM IMW, 2002.

Digital Library

[24]

J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, "Fast portscan detection using sequential hypothesis testing," IEEE Symp S&P, 2004.

[25]

A. Sridharan, T. Ye, and S. Bhattacharyya, "Connection Port Scan Detection on the Backbone," IPCC Malware Workshop, 2006.

[26]

R. Pokrywka, "Reducing False Alarm Rate in Anomaly Detection with Layered Filtering," ICCS, 2008.

Digital Library

[27]

R. Perdisci, D. Ariu, P. Fogla, G. Giacinto, W. Lee, "McPAD: A multiple classifier system for accurate payload-based anomaly detection", Computer Networks, 2009.

Digital Library

[28]

L. Huang, X. Nguyen, M. Garofalakis, J. M. Hellerstein, M. I. Jordan, A. D. Joseph, N. Taft, "Communication-Efficient Online Detection of Network-Wide Anomalies," IEEE Infocom, 2007.

[29]

A. Kumar and J. Xu, "Sketch Guided Sampling-Using On-Line Estimates of Flow Size for Adaptive Data Collection," IEEE INFOCOM, 2006.

[30]

L. Yuan, C. Chuah, and P. Mohapatra, "ProgME: Towards Programmable Network MEasurement," ACM SIGCOMM, 2007.

Digital Library

[31]

V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. R. Kompella, and D. G. Andersen, "CSAMP: A System for Network-Wide Flow Monitoring," USENIX, 2008.

Digital Library

[32]

A. Ramachandran, S. Seetharaman, and N. Feamster, "Fast monitoring of traffic subpopulations," ACM IMC, 2008.

Digital Library

[33]

DARPA Intrusion Detection Data Sets, http://www.ll.mit.edu/mission/communications/ist/ corpora/ideval/ data/index.html.

[34]

LBNL/ICSI Dataset, www.icir.org/enterprise-tracing/download.html.

[35]

Endpoint Dataset, http://www.wisnet.seecs.edu.pk/projects/ENS/DataSets.html.

[36]

A. B. Ashfaq, M. J. Robert, A. Mumtaz, M. Q. Ali, A. Sajjad, and S. A. Khayam, "A Comparative Evaluation of Anomaly Detectors under Portscan Attacks," RAID, 2008.

Digital Library

Cited By

Niknami NSrinivasan AWu J(2024)Cyber-AnDe: Cybersecurity Framework With Adaptive Distributed Sampling for Anomaly Detection on SDNsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.346863219(9245-9257)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3468632
Uhříček DHynek KČejka TKolář D(2023)BOTA: Explainable IoT Malware Detection in Large NetworksIEEE Internet of Things Journal10.1109/JIOT.2022.322881610:10(8416-8431)Online publication date: 15-May-2023
https://doi.org/10.1109/JIOT.2022.3228816
Ashraf JMoustafa NBukhshi AJaved A(2021)Intrusion Detection System for SDN-enabled IoT Networks using Machine Learning Techniques2021 IEEE 25th International Enterprise Distributed Object Computing Workshop (EDOCW)10.1109/EDOCW52865.2021.00031(46-52)Online publication date: Oct-2021
https://doi.org/10.1109/EDOCW52865.2021.00031
Show More Cited By

Index Terms

On mitigating sampling-induced accuracy loss in traffic anomaly detection systems
1. Security and privacy
  1. Network security

Recommendations

An Adaptive Traffic Sampling Method for Anomaly Detection
ICICSE '09: Proceedings of the 2009 Fourth International Conference on Internet Computing for Science and Engineering

The random packet sampling method is the simplest methodology for reducing the amount of packets that the network monitoring system has to process. However, the accuracy of anomaly detection is affected by the fact that this method biases a large IP ...
Is sampled data sufficient for anomaly detection?
IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement

Sampling techniques are widely used for traffic measurements at high link speed to conserve router resources. Traditionally, sampled traffic data is used for network management tasks such as traffic matrix estimations, but recently it has also been used ...
Human error tolerant anomaly detection based on time-periodic packet sampling

This paper focuses on an anomaly detection method that uses a baseline model describing the normal behavior of network traffic as the basis for comparison with the audit network traffic. In the anomaly detection method, an alarm is raised if a pattern ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 40, Issue 3

July 2010

53 pages

ISSN:0146-4833

DOI:10.1145/1823844

Issue’s Table of Contents

Copyright © 2010 Authors.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 June 2010

Published in SIGCOMM-CCR Volume 40, Issue 3

Check for updates

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

20
Total Citations
View Citations
61
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)1

Reflects downloads up to 13 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Niknami NSrinivasan AWu J(2024)Cyber-AnDe: Cybersecurity Framework With Adaptive Distributed Sampling for Anomaly Detection on SDNsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.346863219(9245-9257)Online publication date: 1-Jan-2024
https://dl.acm.org/doi/10.1109/TIFS.2024.3468632
Uhříček DHynek KČejka TKolář D(2023)BOTA: Explainable IoT Malware Detection in Large NetworksIEEE Internet of Things Journal10.1109/JIOT.2022.322881610:10(8416-8431)Online publication date: 15-May-2023
https://doi.org/10.1109/JIOT.2022.3228816
Ashraf JMoustafa NBukhshi AJaved A(2021)Intrusion Detection System for SDN-enabled IoT Networks using Machine Learning Techniques2021 IEEE 25th International Enterprise Distributed Object Computing Workshop (EDOCW)10.1109/EDOCW52865.2021.00031(46-52)Online publication date: Oct-2021
https://doi.org/10.1109/EDOCW52865.2021.00031
Mukherjee ABalachandra MPujari CTiwari SNayar APayyavula S(2021)Unified Smart Home Resource Access Along with Authentication Using Blockchain TechnologyGlobal Transitions Proceedings10.1016/j.gltp.2021.01.005Online publication date: Jan-2021
https://doi.org/10.1016/j.gltp.2021.01.005
Wang AGuo YChen SHao FLakshman TMontgomery DSriram K(2017)vPROM: VSwitch enhanced programmable measurement in SDN2017 IEEE 25th International Conference on Network Protocols (ICNP)10.1109/ICNP.2017.8117567(1-10)Online publication date: Oct-2017
https://doi.org/10.1109/ICNP.2017.8117567
Wang XZhou ZYang ZLiu YPeng C(2017)Spatio-temporal analysis and prediction of cellular traffic in metropolis2017 IEEE 25th International Conference on Network Protocols (ICNP)10.1109/ICNP.2017.8117559(1-10)Online publication date: Oct-2017
https://doi.org/10.1109/ICNP.2017.8117559
Ahmed MKim H(2017)DDoS Attack Mitigation in Internet of Things Using Software Defined Networking2017 IEEE Third International Conference on Big Data Computing Service and Applications (BigDataService)10.1109/BigDataService.2017.41(271-276)Online publication date: Apr-2017
https://doi.org/10.1109/BigDataService.2017.41
Jing YXue GQian S(2017)Noff: A Novel Extendible Parallel Library for High-Performance Network Traffic Monitoring2017 24th Asia-Pacific Software Engineering Conference (APSEC)10.1109/APSEC.2017.19(130-139)Online publication date: Dec-2017
https://doi.org/10.1109/APSEC.2017.19
Jazi HGonzalez HStakhanova NGhorbani A(2017)Detecting HTTP-based application layer DoS attacks on web servers in the presence of samplingComputer Networks: The International Journal of Computer and Telecommunications Networking10.1016/j.comnet.2017.03.018121:C(25-36)Online publication date: 5-Jul-2017
https://dl.acm.org/doi/10.1016/j.comnet.2017.03.018
Miao RPotharaju RYu MJain NCho KFukuda KPai VSpring N(2015)The Dark MenaceProceedings of the 2015 Internet Measurement Conference10.1145/2815675.2815707(169-182)Online publication date: 28-Oct-2015
https://dl.acm.org/doi/10.1145/2815675.2815707
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents