Detection Accuracy of Network Anomalies Using Sampled Flow Statistics

Author

Kawahara, Ryoichi ; Ishibashi, Keisuke ; Mori, Tatsuya ; Kamiyama, Noriaki ; Harada, Shigeaki ; Asano, Shoichiro

Author_Institution

NTT Corp., Tokyo

fYear

2007

fDate

26-30 Nov. 2007

Firstpage

1959

Lastpage

1964

Abstract

We investigate the detection accuracy of network anomalies when we use flow statistics obtained through packet sampling. We have already shown, through a case study based on measurement data, that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become hard to detect when we perform packet sampling. In this paper, we first develop an analytical model that enables us to quantitatively evaluate the effect of packet sampling on the detection accuracy and then investigate why detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning the monitored traffic into groups makes it possible to increase the detection accuracy. We also develop a method of determining an appropriate number of partitioned groups and show its effectiveness.

Keywords

Internet; packet switching; sampling methods; telecommunication congestion control; telecommunication security; telecommunication traffic; Internet; SYN flooding; monitored traffic partitioning; network anomaly detection accuracy; network scans; packet sampling; sampled flow statistics; Analytical models; IP networks; Laboratories; Monitoring; Performance evaluation; Sampling methods; Statistical analysis; Statistics; Telecommunication traffic; Traffic control;

fLanguage

English

Publisher

ieee

Conference_Titel

Global Telecommunications Conference, 2007. GLOBECOM '07. IEEE

Conference_Location

Washington, DC

Print_ISBN

978-1-4244-1042-2

Electronic_ISBN

978-1-4244-1043-9

Type

conf

DOI

10.1109/GLOCOM.2007.376

Filename

4411286