Impact of Traffic Mix and Packet Sampling on Anomaly Visibility

Detection of network traffic anomalies is a key requirement for the provisioning of a reliable networking Infrastructure. In this paper, we examine how anomaly metrics are affected by different environmental settings. To evaluate the effect of the traffic mix on the anomaly visibility, we use traces collected at the different border routers of a medium size national ISP. Since the traces consist of unsampled NetFlow traces, we further examine the impact of sampling on the selected metrics. For our analysis, we use our knowledge of the Blaster and Witty worms to establish a baseline of normal traffic against which we measure the size of the anomaly at various sampling rates. To evaluate the impact of the traffic mix, we compare the visibility of the anomaly for the four different routers and discuss the results. Among other results, we find that traffic mix characteristics sometimes compensate or even boost anomaly visibility in sampled views. We further show that, depending on the anomaly and the traffic mix, some anomaly metrics outperform unsampled data views even at sampling rates of up to 1 out of 10000 packets.