Title :
Detection Accuracy of Network Anomalies Using Sampled Flow Statistics
Author :
Kawahara, Ryoichi ; Ishibashi, Keisuke ; Mori, Tatsuya ; Kamiyama, Noriaki ; Harada, Shigeaki ; Asano, Shoichiro
Author_Institution :
NTT Corp., Tokyo
Abstract :
We investigate the detection accuracy of network anomalies when we use flow statistics obtained through packet sampling. We have already shown, through a case study based on measurement data, that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become hard to detect when we perform packet sampling. In this paper, we first develop an analytical model that enables us to quantitatively evaluate the effect of packet sampling on the detection accuracy and then investigate why detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning the monitored traffic into groups makes it possible to increase the detection accuracy. We also develop a method of determining an appropriate number of partitioned groups and show its effectiveness.
Keywords :
Internet; packet switching; sampling methods; telecommunication congestion control; telecommunication security; telecommunication traffic; Internet; SYN flooding; monitored traffic partitioning; network anomaly detection accuracy; network scans; packet sampling; sampled flow statistics; Analytical models; IP networks; Laboratories; Monitoring; Performance evaluation; Sampling methods; Statistical analysis; Statistics; Telecommunication traffic; Traffic control;
Conference_Titel :
Global Telecommunications Conference, 2007. GLOBECOM '07. IEEE
Conference_Location :
Washington, DC
Print_ISBN :
978-1-4244-1042-2
Electronic_ISBN :
978-1-4244-1043-9
DOI :
10.1109/GLOCOM.2007.376
