Optimizing flow sampling for network anomaly detection

Author

Bartos, Karel ; Rehak, Martin ; Krmicek, Vojtech

Author_Institution

Dept. of Cybern., Czech Tech. Univ., Prague, Czech Republic

fYear

2011

fDate

4-8 July 2011

Firstpage

1304

Lastpage

1309

Abstract

Sampling techniques are widely employed in high-speed network traffic monitoring to allow the analysis of high traffic volumes with limited resources. Sampling has measurable negative impact on the accuracy of network anomaly detection methods. In our work, we build an integrated model which puts the sampling into the context of the anomaly detection used in the subsequent processing. Using this model, we show that it is possible to perform very efficient sampling with limited impact on traffic feature distributions, thus minimizing the decrease of anomaly detection efficiency. Specifically, we propose an adaptive, feature-aware statistical sampling technique and compare it both formally and empirically with other known sampling techniques - random flow sampling and selective sampling. We study the impact of these sampling techniques on particular anomaly detection methods used in a network behavior analysis system.

Keywords

computer network performance evaluation; computer network security; optimisation; sampling methods; statistical distributions; telecommunication traffic; feature-aware statistical sampling technique; flow sampling optimization; high-speed network traffic monitoring; network anomaly detection; network behavior analysis system; traffic feature distribution; Adaptive systems; Entropy; Feature extraction; Force; IP networks; Monitoring; Sampling methods; NetFlow; Sampling methods; anomaly detection; network traffic;

fLanguage

English

Publisher

ieee

Conference_Titel

Wireless Communications and Mobile Computing Conference (IWCMC), 2011 7th International

Conference_Location

Istanbul

Print_ISBN

978-1-4244-9539-9

Type

conf

DOI

10.1109/IWCMC.2011.5982728

Filename

5982728