An Empirical Evaluation of Entropybased Traffic Anomaly Detection
|
|
- Mildred Martina Bruce
- 5 years ago
- Views:
Transcription
1 An Empirical Evaluation of Entropybased Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University
2 Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity, DDoS, bandwidth floods... Traditional: raw traffic volume (insufficient) e.g., total number of packets in an epoch Modern: entropy-based traffic metrics e.g., relative randomness in distribution of packets across ports Example Anomaly Entropy: Detectable Traffic Volume: Undetected 2
3 Motivation Anomaly Detection NetFlow Data Traffic Feature Timeseries Detection Alarm! 3
4 Motivation Anomaly Detection Traffic Feature NetFlow Data sum(packets) Timeseries Detection A(pkts) 3
5 Motivation Anomaly Detection Traffic Feature NetFlow Data H(addresses) Timeseries Detection A(addr) Entropy-based Features: Dist. of packets across addresses 3
6 Motivation Anomaly Detection NetFlow Data Traffic Feature H(ports) Timeseries Detection A(addr) A(port) Entropy-based Features: H(addresses) Distribution of packets across ports 3
7 Motivation NetFlow Data Anomaly Detection Traffic Feature H(flow-size) Timeseries Detection A(addr) A(port) A(FSD) Entropy-based Features: H(addresses) H(ports) Distribution of flow-sizes (in packets) 3
8 Motivation NetFlow Data Anomaly Detection Traffic Feature H(degree) Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) Distribution of host communication H(flow-size) 3
9 Motivation NetFlow Data Anomaly Detection Traffic Feature???????? Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) H(flow-size) H(degree) 3
10 Motivation NetFlow Data Anomaly Detection Traffic Feature???????? Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) H(flow-size) H(degree) Goal: understanding the features 3
11 Motivation NetFlow Data Anomaly Detection Traffic Feature???????? Timeseries Detection A(addr) A(port) A(FSD) A(deg) Entropy-based Features: H(addresses) H(ports) H(flow-size) H(degree) Goal: understanding the features 1. How unique are their detection capabilities? 2. How effective are they? 3
12 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet
13 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) 4
14 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Timeseries Correlation 4
15 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation 4
16 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation Anomaly Correlation Goal(1): Uniqueness 4
17 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation Anomaly Correlation Goal(1): Uniqueness 4
18 Entropy Timeseries (February 2005) In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5
19 Entropy Timeseries (February 2005) In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5
20 Entropy Timeseries (February 2005) test In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5
21 Entropy Timeseries (February 2005) test In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5
22 Entropy Timeseries (February 2005) test In-degree Out-degree Flow-size Src. Address Dst. Address Src. Port Dst. Port Raw traffic volume 5
23 Analysis Method NetFlow Data 5 one-month-long traces: CMU-2005, CMU-2008, GATech-2008, GEANT-2005, Internet Entropy Timeseries H(addresses) H(ports) H(flow-size) H(degree) Are the distributions structurally similar? Anomaly Detection A(addr) A(port) A(FSD) A(deg) Timeseries Correlation Anomaly Correlation Goal(1): Uniqueness 6
24 Correlation in Entropy Timeseries Pairwise correlation-scores for CMU-2005 All 4 other traces exhibit similar behavior! 7
25 Why Entropy is Structurally Correlated 1. Port / Address Correlation Properties of Network Traffic: - contribute X packets to address A - contribute X packets to port B if hosts have few connections, and ports are uniformly random similar distributions 8
26 Why Entropy is Structurally Correlated 1. Port / Address Correlation Properties of Network Traffic 2. Source / Destination Correlation Flow accounting: - Bi-directional: Addr1(23) Addr2(53) Bi-directional Saddr(23) Daddr(53) 8
27 Why Entropy is Structurally Correlated 1. Port / Address Correlation Properties of Network Traffic 2. Source / Destination Correlation Flow accounting: - Uni-directional: Addr1 Addr2 (23) Addr2 Addr1 (53) Bi-directional Saddr(23) Daddr(53) Uni-directional Saddr(23), Daddr(23) Saddr(53), Daddr(53) Uni-directionality destroys 2 unique distributions 8
28 Why Anomalies are Correlated Root-cause analysis approach: no Analyze top-k Remove flows Recompute entropy Anomaly subsides? yes, cause! Our results: Ports & addresses: only detect alpha flows (correlation) FSD: detects scans, Degree: SYN flood FSD & Degree are unique (no correlation) 9
29 Why Anomalies are Correlated Root-cause analysis approach: no Analyze top-k Remove flows Recompute entropy Anomaly subsides? yes, cause! Our results: Traffic volume Ports & addresses: only detect alpha flows (correlation) FSD: detects scans, Degree: SYN flood FSD & Degree are unique (no correlation) 9
30 Summary of Goal(1): Uniqueness Strong correlation in ports and addresses Flow-size and degree: unique Structural correlation: properties of traffic Anomaly correlation: types of anomalies seen 10
31 Understanding Effectiveness NetFlow Data Inject Synthetic Anomalies Entropy Timeseries Anomaly Detection Timeseries Correlation Anomaly Correlation 11
32 Best Distribution for an Anomaly? Anomalies: BW Flood, Scanner, Multiple Scanners, Port Scan, and SYN Flood Other Results: BW Flood: ports & addresses already detectable by traffic volume FSD best detector Scans: difficult to detect FSD and degree 12
33 Implications and Conclusions Look beyond ports and addresses Select complementary traffic distributions Uni-directional accounting introduces biases in traffic distributions Future Work: Can correlations be leveraged? during anomalies found in flow-size & degree, correlation drops between ports & addresses 13
34 Questions? 14
An Empirical Evaluation of Entropy-based Traffic Anomaly Detection
An Empirical Evaluation of Entropy-based Traffic Anomaly Detection George Nychis, Vyas Sekar, David G. Andersen, Hyong Kim, Hui Zhang {gnychis,kim}@ece.cmu.edu, {vyass,dga,hzhang}@cs.cmu.edu Carnegie Mellon
More informationEvidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.
Evidence Gathering for Network Security and Forensics DFRWS EU 2017 Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L. Thing Talk outline Context and problem Objective Evidence gathering framework
More informationIs Host-Based Anomaly Detection + Temporal Correlation = Worm Causality?
Is Host-Based Anomaly Detection + Temporal Correlation = Worm Causality? Vyas Sekar, Yinglian Xie, Michael K. Reiter, Hui Zhang March 6, 27 CMU-CS-7-112 School of Computer Science Carnegie Mellon University
More informationScalable and Robust DDoS Detection via Universal Monitoring
Scalable and Robust DDoS Detection via Universal Monitoring Vyas Sekar Joint work with: Alan Liu, Vladimir Braverman JHU Hun Namkung, Antonis Manousis, CMU DDoS a&acks are ge-ng worse Increasing in number
More informationUnivMon: Software-defined Monitoring with Universal Sketch
UnivMon: Software-defined Monitoring with Universal Sketch Zaoxing (Alan) Liu Joint work with Antonis Manousis (CMU), Greg Vorsanger(JHU), Vyas Sekar (CMU), and Vladimir Braverman(JHU) Network Management:
More informationIt s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security
It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security Pavel Minařík, Chief Technology Officer Neutral Peering Days 2018, The Hague Your customers depend on your
More informationA Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models
A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models Marc Ph. Stoecklin Jean-Yves Le Boudec Andreas Kind
More informationGraph-based Detection of Anomalous Network Traffic
Graph-based Detection of Anomalous Network Traffic Do Quoc Le Supervisor: Prof. James Won-Ki Hong Distributed Processing & Network Management Lab Division of IT Convergence Engineering POSTECH, Korea lequocdo@postech.ac.kr
More informationIntrusion Detection by Combining and Clustering Diverse Monitor Data
Intrusion Detection by Combining and Clustering Diverse Monitor Data TSS/ACC Seminar April 5, 26 Atul Bohara and Uttam Thakore PI: Bill Sanders Outline Motivation Overview of the approach Feature extraction
More informationLecture 2: Streaming Algorithms for Counting Distinct Elements
Lecture 2: Streaming Algorithms for Counting Distinct Elements 20th August, 2008 Streaming Algorithms Streaming Algorithms Streaming algorithms have the following properties: 1 items in the stream are
More informationANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL
ANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL Alex Soares de Moura RNP Rede Nacional de Ensino e Pesquisa Rua Lauro Müller, 116 sala 1103 Rio de Janeiro, Brazil alex@rnp.br Sidney Cunha de Lucena
More informationNetwork Security: Network Flooding. Seungwon Shin GSIS, KAIST
Network Security: Network Flooding Seungwon Shin GSIS, KAIST Detecting Network Flooding Attacks SYN-cookies Proxy based CAPCHA Ingress/Egress filtering Some examples SYN-cookies Background In a TCP 3-way
More informationMaking Friends with Broadcast. Administrivia
Making Friends with Broadcast CMU 15-744 David Andersen Administrivia Midterm Mean 66.5, Median 70, Stddev 13.7 Histo: 35-39 37 38 40-44 45-49 50-54 54 54 54 55-59 56 57 60-64 61 64 64 65-69 69 70-74 71
More informationFlowMatrix Tutorial. FlowMatrix modus operandi
FlowMatrix Tutorial A message from the creators: When developing FlowMatrix our main goal was to provide a better and more affordable network anomaly detection and network behavior analysis tool for network
More informationWorm Detection, Early Warning and Response Based on Local Victim Information
Worm Detection, Early Warning and Response Based on Local Victim Information Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, and George Riley Georgia Institute of Technology ACSAC'04 1
More informationCisco Stealthwatch. Internal Alarm IDs 7.0
Cisco Stealthwatch Internal Alarm IDs 7.0 Stealthwatch Internal Alarm IDs Some previously used alarms are now obsolete and no longer listed in this file. 1 Host Lock Violation 5 SYN Flood 6 UDP Flood 7
More informationFloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer
10 January 2017 FloCon 2017 San Diego, CA Netflow Collection and Analysis at a Tier 1 Internet Peering Point Fred Stringer AT&T Chief Security Organization Systems Engineer/Network Architect AT&T Intellectual
More informationListening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect
Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect Introduction Security has an increased focus from ALL businesses, whether they
More informationthis security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities
INFRASTRUCTURE SECURITY this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities Goals * prevent or mitigate resource attacks
More informationAMP-Based Flow Collection. Greg Virgin - RedJack
AMP-Based Flow Collection Greg Virgin - RedJack AMP- Based Flow Collection AMP - Analytic Metadata Producer : Patented US Government flow / metadata producer AMP generates data including Flows Host metadata
More informationNetwork Anomaly Detection Using Autonomous System Flow Aggregates
Network Anomaly Detection Using Autonomous System Flow Aggregates Thienne Johnson 1,2 and Loukas Lazos 1 1 Department of Electrical and Computer Engineering 2 Department of Computer Science University
More informationBackground Traffic to Network /8
Background Traffic to Network 39.0.0.0/8 March 2010 Geoff Huston George Michaelson APNIC R&D research@apnic.net APNIC is now regularly examining the unused state of IPv4 address blocks before they are
More informationForensic Analysis for Epidemic Attacks in Federated Networks
Forensic Analysis for Epidemic Attacks in Federated Networks Yinglian Xie, Vyas Sekar, Michael K. Reiter, Hui Zhang Carnegie Mellon University Presented by Gaurav Shah (Based on slides by Yinglian Xie
More informationIntelligent and Secure Network
Intelligent and Secure Network BIG-IP IP Global Delivery Intelligence v11.2 IP Intelligence Service Brian Boyan - b.boyan@f5.com Tony Ganzer t.ganzer@f5.com 2 Agenda Welcome & Intro Introduce F5 IP Intelligence
More informationData Sources for Cyber Security Research
Data Sources for Cyber Security Research Melissa Turcotte mturcotte@lanl.gov Advanced Research in Cyber Systems, Los Alamos National Laboratory 14 June 2018 Background Advanced Research in Cyber Systems,
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationDETECTION OF DDoS ATTACKS USING SOURCE IP BASED ENTROPY
International Journal of Computer Science Engineering and Information Technology Research(IJCSEITR) ISSN 2249-6831 Vol. 3, Issue 1, Mar 2013, 201-210 TJPRC Pvt. Ltd. DETECTION OF DDoS ATTACKS USING SOURCE
More informationMAD 12 Monitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation. Midori Kato, Kenjiro Cho, Michio Honda, Hideyuki Tokuda
MAD 12 Monitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation Midori Kato, Kenjiro Cho, Michio Honda, Hideyuki Tokuda 1 Background Traffic monitoring is important to detect
More informationA Case for a RISC Architecture for Network Flow Monitoring
A Case for a RISC Architecture for Network Flow Monitoring Vyas Sekar 1, Michael K. Reiter 2, Hui Zhang 1 CMU-CS-9-125 School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 1 Carnegie
More informationDDoS Detection&Mitigation: Radware Solution
DDoS Detection&Mitigation: Radware Solution Igor Urosevic Head of Technical Department SEE CCIE #26391 Ingram Micro Inc. 1 Agenda DDoS attack overview Main point of failures Key challenges today DDoS protection
More informationAnalyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks. Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer
Analyzing Flow-based Anomaly Intrusion Detection using Replicator Neural Networks Carlos García Cordero Sascha Hauke Max Mühlhäuser Mathias Fischer The Beautiful World of IoT 06.03.2018 garcia@tk.tu-darmstadt.de
More informationPIX-IE An SDN-based Programmable Internet exchange
PIX-IE An SDN-based Programmable Internet exchange Kazuya Okada The University of Tokyo/WIDE Project/NSPIXP Project okada@ecc.u-tokyo.ac.jp Internet2 1 Our Background Operating an academic IX (DIX-IE)
More informationDDoS Protection in Backbone Networks
DDoS Protection in Backbone Networks The Czech Way Pavel Minarik, Chief Technology Officer Holland Strikes Back, 3 rd Oct 2017 Backbone DDoS protection Backbone protection is specific High number of up-links,
More informationAnomaly detection for NFSen/nfdump netflow engine - with Holt-Winters algorithm
Anomaly detection for NFSen/nfdump netflow engine - with Holt-Winters algorithm János Mohácsi, Gábor Kiss NIIF/HUNGARNET Motivation Usual work of CSIRT teams: Find abnormal behaviour Visual detection of
More informationALEMBIC: AUTOMATED MODEL INFERENCE FOR STATEFUL NETWORK FUNCTIONS
ALEMBIC: AUTOMATED MODEL INFERENCE FOR STATEFUL NETWORK FUNCTIONS Soo-Jin Moon Jeffrey Helt, Yifei Yuan, Yves Bieri, Sujata Banerjee, Vyas Sekar, Wenfei Wu, Mihalis Yannakakis, Ying Zhang Carnegie Mellon
More informationMonitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;
NetVizura NetFlow Analyzer enables you to collect, store and analyze network traffic data by utilizing Cisco NetFlow, IPFIX, NSEL, sflow and compatible netflow-like protocols. It allows you to visualize
More informationMining Anomalies Using Traffic Feature Distributions
Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina, Mark Crovella, and Christophe Diot Ý BUCS-TR-25-2 Abstract The increasing practicality of large-scale flow capture makes it possible
More informationLarge-Scale Geolocation for NetFlow
Large-Scale Geolocation for NetFlow Pavel Čeleda, Petr Velan, Martin Rábek Rick Hofstede, Aiko Pras {celeda velan xrabek1}@ics.muni.cz, {r.j.hofstede a.pras}@utwente.nl IFIP/IEEE IM 2013, 27-31 May 2013,
More informationStealthwatch System v6.9.0 Internal Alarm IDs
Stealthwatch System v6.9.0 Internal Alarm IDs Copyrights and Trademarks 2017 Cisco Systems, Inc. All rights reserved. NOTICE THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE
More informationOutline. Motivation. Our System. Conclusion
Outline Motivation Our System Evaluation Conclusion 1 Botnet A botnet is a collection of bots controlled by a botmaster via a command and control (C&C) channel Centralized C&C, P2P-based C&C Botnets serve
More informationDetecting Network Performance Anomalies with Contextual Anomaly Detection
Detecting Network Performance Anomalies with Contextual Anomaly Detection Giorgos Dimopoulos *, Pere Barlet-Ros *, Constantine Dovrolis, Ilias Leontiadis * UPC BarcelonaTech, Barcelona, {gd, pbarlet}@ac.upc.edu
More informationLocality Based Analysis of Network Flows
Carnegie Mellon Locality Based Analysis of Network Flows SEI/CERT 21 July 2004 John McHugh, Carrie Gates, Damon Becknel Carnegie Mellon Why Locality Locality is an entropy based characterization that allows
More informationNetwork Management & Monitoring
Network Management & Monitoring NfSen These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/) What is NfSen
More informationImpact of Sampling on Anomaly Detection
Impact of Sampling on Anomaly Detection DIMACS/DyDan Workshop on Internet Tomography Chen-Nee Chuah Robust & Ubiquitous Networking (RUBINET) Lab http://www.ece.ucdavis.edu/rubinet Electrical & Computer
More informationIdentifying Operating System Using Flow-based Traffic Fingerprinting
Identifying Operating System Using Flow-based Traffic Fingerprinting Tomáš Jirsík, Pavel Čeleda {jirsik celeda}@ics.muni.cz Institute of Computer Science, Masaryk University EUNICE 2014 September, 1. 5.,
More informationAnomaly Detection in Communication Networks
Anomaly Detection in Communication Networks Prof. D. J. Parish High Speed networks Group Department of Electronic and Electrical Engineering D.J.Parish@lboro.ac.uk Loughborough University Overview u u
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationOn Optimizing Load Balancing of Intrusion Detection and Prevention Systems. Anh Le, Ehab Al-Shaer, and Raouf Boutaba
On Optimizing Load Balancing of Intrusion Detection and Prevention Systems Anh Le, Ehab Al-Shaer, and Raouf Boutaba Outline 1. Motivation 2. Approach Overview 3. Problem Formalization 4. Online Clustering
More informationDetection and Identification of Network Anomalies Using Sketch Subspaces
Detection and Identification of Network Anomalies Using Sketch Subspaces X. Li F. Bian M. Crovella C. Diot R. Govindan G. Iannaccone A. Lakhina ABSTRACT Network anomaly detection using dimensionality reduction
More informationAnti-DDoS. User Guide. Issue 05 Date
Issue 05 Date 2017-02-08 Contents Contents 1 Introduction... 1 1.1 Functions... 1 1.2 Application Scenarios...1 1.3 Accessing and Using Anti-DDoS... 2 1.3.1 How to Access Anti-DDoS...2 1.3.2 How to Use
More informationA Comparison Between Divergence Measures for Network Anomaly Detection
A Comparison Between Divergence Measures for Network Anomaly Detection Jean Tajer, Ali Makke, Osman Salem, Ahmed Mehaoua To cite this version: Jean Tajer, Ali Makke, Osman Salem, Ahmed Mehaoua. A Comparison
More informationRevisiting the Case for a Minimalist Approach for Network Flow Monitoring
Revisiting the Case for a Minimalist Approach for Network Flow Monitoring Vyas Sekar Carnegie Mellon University Pittsburgh, PA vyass@cs.cmu.edu Michael K Reiter UNC Chapel Hill Chapel Hill, NC reiter@cs.unc.edu
More informationFPGA based Network Traffic Analysis using Traffic Dispersion Graphs
FPGA based Network Traffic Analysis using Traffic Dispersion Graphs 2 nd September, 2010 Faisal N. Khan, P. O. Box 808, Livermore, CA 94551 This work performed under the auspices of the U.S. Department
More informationChallenging the Supremacy of Traffic Matrices in Anomaly Detection
Challenging the Supremacy of Matrices in Detection ABSTRACT Augustin Soule Thomson Haakon Ringberg Princeton University Multiple network-wide anomaly detection techniques proposed in the literature define
More informationScrutinizer Flow Analytics
Scrutinizer Flow Analytics TM Scrutinizer Flow Analytics Scrutinizer Flow Analytics is an expert system that highlights characteristics about the network. It uses flow data across dozens or several hundred
More informationModeling the Routing of an ISP with C-BGP
Modeling the Routing of an ISP with C-BGP Bruno Quoitin bruno.quoitin@uclouvain.be IP Networking Lab (INL) Computer Science & Engineering Department Université catholique de Louvain, Belgium 2009 B. Quoitin
More informationJaal: Towards Network Intrusion Detection at ISP Scale
Jaal: Towards Network Intrusion Detection at ISP Scale A. Aqil, K. Khalil, A. Atya, E. Paplexakis, S. Krishnamurthy, KK. Ramakrishnan University of California Riverside T. Jaeger Penn State University
More informationImpact of Packet Sampling on Anomaly Detection Metrics
Impact of Packet Sampling on Anomaly Detection Metrics ABSTRACT Daniela Brauckhoff, Bernhard Tellenbach, Arno Wagner, Martin May Department of Information Technology and Electrical Engineering Swiss Federal
More informationTable of Contents. 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1
Table of Contents 1 Intrusion Detection Statistics 1-1 Overview 1-1 Displaying Intrusion Detection Statistics 1-1 i 1 Intrusion Detection Statistics Overview Intrusion detection is an important network
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationCheck Point DDoS Protector Simple and Easy Mitigation
Check Point DDoS Protector Simple and Easy Mitigation Jani Ekman janie@checkpoint.com Sales Engineer DDoS Protector 1 (D)DoS Attacks 2 3 4 DDoS Protector Behavioral DoS Protection Summary 2 What is an
More informationEmpirically Based Analysis: The DDoS Case
Empirically Based Analysis: The DDoS Case Jul 22 nd, 2004 CERT Analysis Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Analysis Center is part of the
More informationCybersecurity Threat Mitigation using SDN
Cybersecurity Threat Mitigation using SDN Mohd Zafran (PhD Candidate) & Koji Okamura Graduate School of Information Science and Electrical Engineering Kyushu University Kyushu University, Japan 29/9/2017
More informationHashing on broken assumptions
Hashing on broken assumptions Lorenzo Saino (@lorenzosaino) Fastly Name of Presentation Problem: Spreading traffic across multiple links, paths, hosts Solutions: Link Aggregation Equal Cost Multipath (ECMP)
More informationOverview of nicter - R&D project against Cyber Attacks in Japan -
Overview of nicter - R&D project against Cyber Attacks in Japan - Daisuke INOUE Cybersecurity Laboratory Network Security Research Institute (NSRI) National Institute of Information and Communications
More informationBlack box anomaly detection: is it utopian?
Black box anomaly detection: is it utopian? Shobha Venkataraman, Juan Caballero, Dawn Song, Avrim Blum, Jennifer Yates Carnegie Mellon University AT&T Labs-Research ABSTRACT Automatic identification of
More informationIntelligent Network Management Using Graph Differential Anomaly Visualization Qi Liao
Intelligent Network Management Using Graph Differential Anomaly Visualization Qi Liao Network Management What is going on in the network? Public servers Private servers Wireless Users DMZ Applications
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationINTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGIES, VOL. 02, ISSUE 01, JAN 2014 ISSN
CONSTANT INCREASE RATE DDOS ATTACKS DETECTION USING IP TRACE BACK AND INFORMATION DISTANCE METRICS 1 VEMULA GANESH, 2 B. VAMSI KRISHNA 1 M.Tech CSE Dept, MRCET, Hyderabad, Email: vmlganesh@gmail.com. 2
More informationChapter 7. Denial of Service Attacks
Chapter 7 Denial of Service Attacks DoS attack: An action that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources such as central processing units (CPU),
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 8 Denial of Service First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Denial of Service denial of service (DoS) an action
More information( , *) one-to-many: e.g., scanning (*, ) many-to-one: e.g., DDoS ( /24, /28) subnet-to-subnet
(1.2.3.4, *) one-to-many: e.g., scanning (*, 5.6.7.8) many-to-one: e.g., DDoS (1.2.3.0/24, 4.5.6.0/28) subnet-to-subnet 2 c φn φ: N: 0.0.0.0/0 0.0.0.0/0 10.1/16 192.168/16 10.1/16 192.168/16 10.1.1/24
More informationPyrite or gold? It takes more than a pick and shovel
Pyrite or gold? It takes more than a pick and shovel SEI/CERT -CyLab Carnegie Mellon University 20 August 2004 John McHugh, and a cast of thousands Pyrite or Gold? Failed promises Data mining and machine
More informationINTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGIES, VOL. 02, ISSUE 01, JAN 2014
INTERNATIONAL JOURNAL OF INNOVATIVE TECHNOLOGIES, VOL. 02, ISSUE 01, JAN 2014 ISSN 2321 8665 LOW BANDWIDTH DDOS ATTACK DETECTION IN THE NETWORK 1 L. SHIVAKUMAR, 2 G. ANIL KUMAR 1 M.Tech CSC Dept, RVRIET,
More informationLevel 3 SM Enhanced Management - FAQs. Frequently Asked Questions for Level 3 Enhanced Management
Level 3 SM Enhanced Management - FAQs Frequently Asked Questions for Level 3 Enhanced Management 2015 Level 3 Communications, LLC. All rights reserved. 1 LAYER 3: CONVERGED SERVICES 5 Where can I find
More informationDelay Injection for. Service Dependency Detection
Delay Injection for Service Dependency Detection Richard A. Kemmerer Computer Security Group Department of Computer Science University of California, Santa Barbara http://seclab.cs.ucsb.edu ARO/MURI Meeting
More informationEnhancing Byte-Level Network Intrusion Detection Signatures with Context
Enhancing Byte-Level Network Intrusion Detection Signatures with Context Robin Sommer sommer@in.tum.de Technische Universität München Germany Vern Paxson vern@icir.org International Computer Science Institute
More informationA Case for a RISC Architecture for Network Flow Monitoring
A Case for a RISC Architecture for Network Flow Monitoring Vyas Sekar, Michael K. Reiter, Hui Zhang Carnegie Mellon University, UNC Chapel-Hill ABSTRACT Several network management applications require
More informationCE Advanced Network Security
CE 817 - Advanced Network Security Lecture 5 Mehdi Kharrazi Department of Computer Engineering Sharif University of Technology Acknowledgments: Some of the slides are fully or partially obtained from other
More informationTemporally Oblivious Anomaly Detection on Large Networks Using Functional Peers
Temporally Oblivious Anomaly Detection on Large Networks Using Functional Peers Kevin M. Carter, Richard P. Lippmann, and Stephen W. Boyer MIT Lincoln Laboratory Lexington, MA USA kevin.carter@ll.mit.edu,
More informationA dynamic firewall architecture based on multi-source analysis
CSIT (December 2013) 1(4):317 329 DOI 10.1007/s40012-013-0029-x ORIGINAL RESEARCH A dynamic firewall architecture based on multi-source analysis Muraleedharan Navarikuth Subramanian Neelakantan Kalpana
More informationEntropy-based event detection
Entropy-based event detection New Zealand The Univer rsity of Auckland Ulrich Speidel Department of Computer Science The University of Auckland ulrich@cs.auckland.ac.nz Joint work with Raimund Eimann What
More informationDDoS Testing with XM-2G. Step by Step Guide
DDoS Testing with XM-G Step by Step Guide DDoS DEFINED Distributed Denial of Service (DDoS) Multiple compromised systems usually infected with a Trojan are used to target a single system causing a Denial
More informationDetecting Distributed Denial-of. of-service Attacks by analyzing TCP SYN packets statistically. Yuichi Ohsita Osaka University
Detecting Distributed Denial-of of-service Attacks by analyzing TCP SYN packets statistically Yuichi Ohsita Osaka University Contents What is DDoS How to analyze packet Traffic modeling Method to detect
More informationHardware Flow Offload. What is it? Why you should matter?
Hardware Offload What is it? Why you should matter? Good News: Network Speed The market is moving from 10 Gbit to 40/100 Gbit At 40 Gbit frame inter-arrival time is ~16 nsec At 100 Gbit frame inter-arrival
More informationFlow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018
Flow Measurement For IT, Security and IoT/ICS Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018 What is Flow Data? Modern method for network monitoring flow
More informationHotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware
Hotspots: The Root Causes of Non- Uniformity in Self-Propagating Malware Evan Cooke, Z. Morley Mao, Farnam Jahanian *University of Michigan - 1 - DSN 2006 Self-Propagating Malware Worms & Botnets (Source:
More informationFrom Traffic Measurement to Realistic Workload Generation
From Traffic Measurement to Realistic Workload Generation Felix Hernandez-Campos Ph. D. Candidate Dept. of Computer Science Univ. of North Carolina at Chapel Hill Joint work with F. Donelson Smith and
More informationUsing traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry
Using traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry Gilles Roudière 1 (PhD student) Philippe Owezarski 1, François Devienne 2 (Supervisors) 1, {gilles.roudiere,
More informationNetwork measurement activities at UPC Barcelona. June 3, 2011
Network measurement activities at UPC Barcelona June 3, 2011 1 About us Advanced Broadband Comm. Center (CCABA) Research center at UPC Several topics: optical networking, new Internet arch., nano-networking,
More informationTCEP: Traffic Consolidation for Energy-Proportional High-Radix Networks
TCEP: Traffic Consolidation for Energy-Proportional High-Radix Networks Gwangsun Kim Arm Research Hayoung Choi, John Kim KAIST High-radix Networks Dragonfly network in Cray XC30 system 1D Flattened butterfly
More informationSDN Applications and Use Cases. Copyright 2015 ITRI
SDN Applications and Use Cases Copyright 20 ITRI Bachelor B Ph.D (IR) (ITRI) Engineer 20 Copyright 20 ITRI 2 Outline SDN Basics SDN Use Cases & Applications Google B WAN NEC VTN OpenDefenseFlow Firewall
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationDetecting Botnets Using Cisco NetFlow Protocol
Detecting Botnets Using Cisco NetFlow Protocol Royce Clarenz C. Ocampo 1, *, and Gregory G. Cu 2 1 Computer Technology Department, College of Computer Studies, De La Salle University, Manila 2 Software
More informationICMP Traceback Messages
ICMP Traceback Messages Steven M. Bellovin 973-360-8656 AT&T Labs Research Florham Park, NJ 07932 Steven M. Bellovin March 30, 2000 1 Goals Trace of packets coming at you. Primary motive: trace back denial
More informationThe NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware
The NIDS Cluster: Scalable, Stateful Network Intrusion Detection on Commodity Hardware Matthias Vallentin 1, Robin Sommer 2,3, Jason Lee 2, Craig Leres 2 Vern Paxson 3,2, and Brian Tierney 2 1 TU München
More informationDetecting Distributed DoS/Scanning by Anomaly Distribution of. Packet Fields. Chang-Han Jong, Shiuh-Pyng Shieh.
Detecting Distributed DoS/Scanning by Anomaly Distribution of Packet Fields Chang-Han Jong, Shiuh-Pyng Shieh {chjong,ssp}@csie.nctu.edu.tw Department of Computer Science and Information Engineering, National
More informationAppendix A. Methodology
193 Appendix A Methodology In this appendix, I present additional details of the evaluation of Sync-TCP described in Chapter 4. In Section A.1, I discuss decisions made in the design of the network configuration.
More informationGround truth analysis of anomalies in traffic feature distributions
Mahdi Asadpour Ground truth analysis of anomalies in traffic feature distributions Research in Computer Science II (263-0600-00L) September 2009 Tutor: Bernhard Tellenbach Supervisor: Prof. Bernhard Plattner
More informationAutomated Analysis and Aggregation of Packet Data
Automated Analysis and Aggregation of Packet Data Samuel Oswald Hunter 25th February 2010 1 Principle Investigator Samuel Oswald Hunter g07h3314@campus.ru.ac.za Supervised by: Mr Barry Irwin 2 Background
More information