AS ignal Analysis of Network Traffic Anomalies by 5hScx2HE


									   A Signal Analysis of
Network Traffic Anomalies
 Paul Barford, Jeffrey Kline, David
      Plonka, and Amos Ron
      Network Traffic Anomalies
 Failuresand attacks
 Detection part of everyday work for
 Data derived mainly from two sources
     SNMP
       • Queries to nodes; mostly counts of activity
     IP flows
       • More specific than SNMP
                Related Work
            detection of anomalies
 Statistical
 Past work on malicious (DoS, port scan)
  behavior detection
 Flash crowd studies
 Analysis based on SNMP and IP data
 Taken from a border router at University of
 Flows sampled 1 in 96 packets
 Journal of known anomalies and events was
       Network
       Attack
       Flash
       Measurement
             Current Practices
 Network operators use ad hoc methods
 Rely on operator’s personal experience
 Handling SNMP data
     Graph network data
     Alarms for certain events
 Flow   data handling less mature
     Popular tool converts into time-series data
 Wavelet  analysis
 Divides the data into strata
 Low-frequency strata: slow-varying trends
 High-frequency strata: spontaneous
           Wavelet Processing
 Analysis/Decomposition
     Break down the signal into the strata
     Run different filters for the different
 Synthesis
     Inverse of decomposition
 Wavelet    algorithms
     Recombine strata, but filtering out unwanted
 The  technique used by the authors
  synthesizes 3 separate parts of the signal
 Total amount within the parts will be longer
  than the actual signal
 L – Captures long term patterns; ideal for
  weekly trends
 M – Captures midrange patterns; ideal for
  daily trends
 H – High frequency data capture
            Anomaly Detection
 Normalize     H- and M- to a variance of 1
     Compute local variability of data within a
      moving window (3 hours)
 Combine   variability of H- and M-
 Apply thresholding
 Development   environment for anomaly
 Used the H-, M-, and weights for both to
  determine deviation scores
 Anomalies tend to have deviation over 2.0
    Characteristics of Ambient Traffic
   Need data free of anomalies as a calibration
                Flash Crowds
   Test data: New Linux release on ftp mirror
Short-lived Anomalies
Discriminator for Short-term
Two DoS Events
Analysis of Network Outage
      Deviation Score Evaluation
 Usedlogged anomalies as baseline for
     Of 39 logged anomalies, detected 38
        Comparison to Holt-Winters
   Holt-Winters is an exponential smoothing algorithm
       Uses baseline (intercept), linear trend (slope), and seasonal
       Aberrations are detected by detecting a certain amount of data
        outside the threshold range within a window
   Different from wavelet in that the different strata are
    processed separately whereas Holt-Winters is one
    prediction function
   Compared to an alternative using Holt-Winters algorithm
       Holt-Winters detected 37 anomalies
       Both missed anomalies would have been detected with a larger
       Holt-Winters more sensitive
 Performs  comparably to Holt-Winters
 Deviation score detection can be effective
 Learning methods potentially used in the
 Study ways of classification

To top