ANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL
|
|
- Myrtle Nicholson
- 6 years ago
- Views:
Transcription
1 ANOMALY DETECTION USING HOLT-WINTERS FORECAST MODEL Alex Soares de Moura RNP Rede Nacional de Ensino e Pesquisa Rua Lauro Müller, 116 sala 1103 Rio de Janeiro, Brazil alex@rnp.br Sidney Cunha de Lucena UNIRIO Universidade Federal do Estado do Rio de Janeiro Av. Pasteur, 458 CCET sala 111 Rio de Janeiro, Brazil sidney@uniriotec.br ABSTRACT Attacks against networks and its services are permanent concerns for Internet service providers and datacenters. Several methods for anomaly detection in high-speed links have been researched in the last years. This article evaluates a simple method based on the Holt-Winters forecast model to verify significant changes at the pattern of traffic parameters normally affected in the presence of anomalies. This work also proposes and evaluates the use of filters to increase the effectiveness of the method for the detection of specific types of attacks. Results confirm the usefulness of this proposal to detect malicious traffic related to a TCP SYN flood attack and to the propagation of the Slammer worm, both applied to real traffic samples from the Brazilian NREN. KEYWORDS Anomaly detection, Holt-Winters forecast model, entropy, DoS attacks. 1. INTRODUCTION Hosting and collocation services have been commonly used by clients of different magnitudes. The increase in the popularity of these solutions, where providers host wide spread network services like and web sites in their own clouds, in conjunction with the progressive lower prices of broadband access, promotes a correspondent increase in the providers network traffic. In consequence, more attention to security issues is needed once the probability of an attack increases as the number of clients grows. Because of this growing picture, a reactive way of dealing with security problems may lead to a decrease in services credibility. So, it becomes important for providers to adopt a proactive way to detect anomalous traffic that may be flowing through the network, in order to take the respective countermeasures as soon as possible. Several methods were proposed in the past years concerning anomaly detection, not all of them proper to be used in Internet Service Providers (ISPs). The work in Silveira 2010 provides a taxonomy for event detection methods that can be used for anomaly detection. The methods are structured as: signature-based (used by IDSes), based on control data (inspects DNS messages or BGP feeds, for example), based on application-specific data (to search for security problems of a specific application), based on non-aggregate traffic data (looks for anomalies at the traffic of a specific host) and based on aggregate traffic data (analyzes the traffic on network links). Considering high volume traffic and the need to detect anomalies of different types, detection based on aggregate traffic is more appropriate for ISPs. It is worth noting that an anomaly is not necessarily caused by malicious activity. For example, link failures or abrupt routing changes also cause traffic anomalies. For this reason, it is also necessary to use root cause analysis to distinguish what kind of problem has been detected (Silveira and Diot 2010). Root cause analysis is out of scope of the present work.
2 The work here proposes a simple method for anomaly detection on aggregate data that can be easily coupled to well-known open-source network management tools. This method uses entropy-based traffic metrics and the Holt-Winters forecast model to expose anomalies in the aggregated traffic of a network link. The evaluation of this proposal is achieved using injections of artificially generated TCP SYN flood attack and Slammer worm propagation in real traffic samples from RNP s backbone, the Brazilian NREN. Results also show that the efficiency of the method can be significantly improved for the detection of some specific class of attack by the use of specific filters applied to the monitored flows. The rest of this paper has the following structure: Section II brings related work, Section III describes the proposed method, Section IV explains the evaluation methodology, Section V shows the obtained results and Section VI brings conclusions and future work. 2. RELATED WORK In the past years, several methods were proposed concerning aggregation strategies, traffic metrics and statistical techniques to signalize anomalies in WAN traffic. Packet sampling is the most used aggregation strategy in order to reduce storage space and traffic monitoring overhead for high volume backbone links. In Mai 2006, it is shown that heavy sampling can cause false positives and negatives on volume-based anomaly detectors, which rely on packet or bit rate metrics to expose anomalies. In Brauckhoff 2006, entropy is shown to be a better metric to reduce heavy sampling impact. In Lakhina et al 2005, the authors use the entropy of IP addresses and port numbers as a metric for anomaly detection in a network-wide manner, where data is collected from multiple links and aggregated into origin-destination flows. This work uses a method based on Principle Component Analysis to point anomalies, which is shown in Brauckhoff et al 2009 that it fails to capture temporal correlation and may cause false negatives. In Brutlag 2000, the seasonal Holt-Winters forecast model is applied to packet rate time series for aberrant behavior detection in a single-link approach, which is easier to implement than a network-wide approach. In Silveira et al 2010, it is shown that a singlelink approach using a Kalman filter-based forecast method can identify 91% of the anomalies identified by a correspondent network-wide approach. This anomaly detection method is called ASTUTE, which captures the correlation among individual traffic flows and observes distributions of volume changes to detect anomalies. Despite the relevant results, this method fails to detect anomalies typically caused by DoS attacks or large file transfers. The authors argue that a complementary volume-based EWMA (Exponentially Weighted Moving Average) anomaly detector is enough for a well combined solution (Silveira 2010). 3. PROPOSED METHOD FOR ANOMALY DETECTION 3.1 Entropy Measurements The proposed method is based on entropy measurements of IP and port values of packets flowing through a given network link in a given time interval. This results in four time series of entropies representing the behavior of origin and destination IP addresses and origin and destination port numbers at each time interval. The used metric is a normalized version of Shannon s entropy (Shannon 1948) and is defined as: N E ( p i log ( p i )) / log2 N ns 2, (1) i 1 if N > 1, where N is the number of different values in a time interval and pi is the probability associated to each different value i. If N = 1, then E ns = 0. E ns varies from 0 to 1 and is a measure of the level of dispersion in the distribution of i: 0 corresponds to maximum concentration (only one value for i in the interval) and 1 corresponds to maximum dispersion. The normalization by log 2 N is used to avoid variations in E ns caused by changes in N that do not affect the distribution of i. The intuition behind this is to have a metric less sensitive to some kinds of anomalies that mainly affect traffic volume, like link failures or routing changes.
3 3.2 Seasonal Holt-Winters Forecast Model The seasonal Holt-Winters (HW) forecasting model is usually applied to time series that present seasonal patterns (Brutlag 2000). It divides a time series X t in three parts: one related to its seasonality (c t ), one related to its trend behavior (b t ) and one for the residual part (a t ). For each of them, a simple EWMA is applied to predict a new value. A combination of these expressions is used to estimate X t+1. The following equations represent the HW computation: at X a t b t c m (2) ( X t c t m ) (1 )( a b ) (3) bt ct ( a t a ) (1 ) b (4) ( X t a t ) (1 ) c t m, (5) where m is the period of the seasonality and α, β and γ are the parameters of the respective EWMA expressions of a t, b t and c t, with values between 0 and 1. Equations (2) to (5) suppose an additive seasonality, and it means that the statistical behavior of the seasonal component in (5) is not proportional to the time series trend component in (4). That is the opposite of when using the multiplicative seasonality (Koehler et al 2001). Experiments related to the present work (not shown) demonstrated that the additive seasonality fits better as a forecast model for the time series of measured entropies. 3.3 Decision Criteria for Anomaly Detection Using HW An anomaly is detected when measured entropies present a substantial deviation from its predictions. This verification can be automatically done by the association of proper upper and lower bounds for the HW predictions: any measure that falls out of these bounds is considered abnormal. As in Brutlag 2000, the bounds are obtained by the use of a EWMA for the time series of deviations d t between the measured and the predicted entropies: dt Y t X t ( 1 ) d t m, (6) where γ is the same used in (5). Y t is the measured entropy and X t is the predicted one. The boundaries are given by ( Xt d t m, X t d t m), (7) where δ is an adjusting factor. In Koehler et al 2001, the proposed values for δ fit between 2 and 3. It is worthy to note that the method presented in Brutlag 2000 does not consider entropy measurements. It just uses a Holt-Winters forecast model applied to time series of bit rates. 4. EXPERIMENTAL EVALUATION METHODOLOGY The evaluation of anomaly detection methods using real traffic data from backbone links is notoriously a difficult task. It is very hard to previously know what anomalies are present in what time, and also to guarantee that some sequence of data is really free of anomalies. The approach here uses injection of artificially generated malicious traffic data, corresponding to a TCP SYN flood attack and the Slammer worm propagation, into real traffic traces from RNP. 4.1 Traffic Data from RNP A real traffic data trace was obtained from netflow records (Cisco 2007) of a 2.5 Gbps link from RNP s backbone. The used packet sampling rate was 1 out of 100 at the respective router. The total amount of
4 collected data represents a sequence of ten days between November and December of The mean rate of the traffic, not considering sampling, is 30 Kpps and it represents a period of supposed normal use of this backbone link. By the time of these measurements, no tools were implemented at RNP to automatically detect attacks. 4.2 Artificial Generation of Malicious Traffic A tool called Pcapr was used to generate files describing the behavior of two different well-known attacks: the TCP SYN flood and the Slammer worm. These files are then used as input for a tool called MuDos that generates the corresponding traffic to some previously configured destination network. The generated traffic is then sniffed, sampled and converted to Netflow format. The mean packet rate of the generated traffic was adjusted to stay between 10% and 20% of the mean packet rate of the real traffic. These are typical values where a severe attack cannot be easily identified by visual inspection of packet rate time series of a backbone link. 4.3 Filtering Well-Known Characteristics If a malicious traffic traversing a backbone link has a mean packet rate significantly lower than the mean packet rate of the normal traffic in the link, the level of dispersion captured by the entropy measurements of the combined traffic may vary just a little. In this case, it may be hard to detect this kind of attack using the proposed method. To minimize this problem, the portion of the monitored data representing the normal traffic can be reduced using filters that will consider only packets with some well-known characteristic related to a target class of malicious traffic. For the injected anomalies used here, filters to compute only packets with UDP protocol (case of some worm propagations) or packets with destination port 80 (case of an attack to web sites) were applied. Results presented in Section V show the efficiency of this approach. Figure 1. Entropies and HW forecasts with TCP SYN flood attack inserted.
5 5. RESULTS The measured entropies were computed for every 5 minute interval and recorded using the Round-Robin Database (RRD) format. It is worth noting that a 5 minute time interval is commonly used for network monitoring and widely adopted in several other works (Lakhina et al 2005, Silveira et al 2010). The computation of the proposed method for anomaly detection in entropy time series is done using the RRDtool (Brutlag 2000). The RRDtool is an open-source tool to manipulate and plot data recorded in RRD format. Both the HW forecast model, found in (2)-(5), and also the entropy boundaries, found in (6) and (7), are implemented in RRDtool. The values of the HW s parameters are the same for all four time series of entropies and were empirically chosen based on Brutlag 2000: α = 0.01, β = , γ = 0.01, δ = 2 and m = 288. The value of m indicates a 24 hour seasonal period in amounts of 5 minute intervals. The RRDtool implements (6) using a circular queue whose size was configured to 5 days. All the graphics were generated using RRDtool. The large squares indicate the region of the inserted attack, always starting at 0h of day 27 (Thursday). For a better visualization, only three days of the time series are shown in each graphic, including the inserted attack at the beginning of the second day. The green line indicates the HW s predictions, the dark lines indicate the boundaries for anomaly detection, as found in (7), and the red line indicates the measured entropies. An anomaly is detected every time the red line crosses the boundaries represented by the dark lines. 5.1 TCP SYN Flood The parameters used to describe this Distributed DoS attack, that tries to exhaust victim s resources by the initiation of multiple TCP connections, are the following: random source IPs from a /22 network and one specific destination IP, random source port numbers and one specific destination port number (80/TCP). The duration of the injected attack is 1.5h and the packet rate varies from 4Kpps to 6Kpps, which represents 13.3% to 20% of the mean packet rate of the real traffic trace. Fig. 1 shows the results without any filter (from top: source IP, destination IP, source port and destination port) and Fig. 2 shows the results with a filter that considers only packets with destination port value of 80 (from top: source IP, destination IP and source port). Figure 2. Entropies and HW forecasts with TCP SYN flood attack inserted, filter by destination port 80. As observed in Fig. 1, the disturbances in the measured entropies caused by this injection, although visually perceived, was not sufficient to significantly trigger the detection in any of the time series. However,
6 with the specified filter, as shown in Fig. 2, the disturbances in the measured entropies are enough to trigger the detection in all time series, except for the destination port (not shown), once all packets with same destination port turn the entropy to be always zero. 5.2 Slammer Worm The parameters used to describe this attack, that explores a vulnerability of Microsoft SQL servers, are the following: one specific source IP, random destination IPs, random source port numbers and one specific destination port (1434/UDP). The duration of the injected attack is 2h and the packet rate is fixed at 0.5Kpps, which represents 16.6% of the mean packet rate of the real traffic trace. Fig. 3 shows the results without any filter and Fig. 4 shows the results with a filter that considers only packets using UDP protocol (in both cases, from top: source IP, destination IP, source port and destination port). Figure 3. Entropies and HW forecasts with Slammer worm attack inserted. Comparing Fig. 3 and Fig. 4, it is clear that the adoption of the filters for the UDP protocol increases the disturbance in the measured entropies and makes the anomaly more evident for the detection. But, in this case, results in Fig. 3 show that this attack could also be detected in the source IP and destination port entropies without using the filter. 5.3 Holt-Winters versus EWMA The use of a simple EWMA instead of the Holt-Winters forecast model has good practical implications as there will be only one parameter to choose (α) instead of three. However, the inability of a simple EWMA to capture seasonal patterns makes it less applicable for time series of entropies. Another key point is that the Holt-Winters forecasts are more sensitive to α than to the other two parameters, making it almost as ease to parameterize as the EWMA.
7 Fig. 5 shows a comparison between EWMA and two HW models for the prediction of the measured entropies of origin port numbers. In this case, 5 days are shown and a simple DoS attack was inserted at the beginning of the second day. The parameters are the same used in the previous tests, except for γ that is equal to 0.1 in the second HW model (from top to bottom). The EWMA uses the same α. It is easy to observe that the EWMA fails to predict the entropies due to its seasonal pattern. It can also be observed that an increase by ten times in γ practically did not affect the HW predictions. Previous tests (not shown) verified that an equal increase in α makes the HW fails to predict the entropies. Figure 4. Entropies and HW forecasts with Slammer worm attack inserted, filter by UDP protocol. 6. CONCLUSIONS The results indicate that the HW predictor estimates well the behavior of measured entropies corresponding to a period of normal traffic in a backbone link. In the presence of an anomaly, the measured entropies clearly deviate from its predictions at least in one of the four time series, and this can be used to trigger the detection. The use of filters to capture packets with well-known characteristics of some class of attacks clearly makes them more evident. The adopted criteria for the establishment of boundaries to automatically trigger the detection alone was not efficient in one of the studied cases and can be improved to reduce the dependence on filters. The presented method focuses on simplicity. The use of the RRDtool shows that it can be easily coupled to most adopted open-source network monitoring tools. The establishment of filters for well-known characteristics of some attacks is very practical and widely adopted by network operators that do manual inspection of traffic flows. All the calculations can be easily evaluated for real-time anomaly detection with the traditional delay of five minutes adopted in the majority of network monitoring tools. The proposed method has no intention to be able to detect all kind of anomaly that can be present in a backbone link. As stated in Silveira 2010, complementary methods must be used to cover all possibilities. Results show that the method is appropriate to detect DoS style and worm spread attacks in WAN links that
8 could be hidden in the overall traffic, and that also means that it can be considered a good complementary detector for others proposals, like ASTUTE (Silveira et al 2010). The validation of the method used real traffic samples from RNP s backbone, where both a TCP SYN flood attack and a Slammer worm spread were artificially inserted. Future work will study better upper and lower bounds for the Holt-Winters predictions in order to automatically infer anomalies with less dependence on filters. Figure 5. Comparison between HW with γ = 0,01, HW with γ = 0,1 and EWMA (α = 0,01for all and DoS inserted at 0h of second day). ACKNOWLEDGEMENT The authors thank RNP for giving access to all data used in this work. REFERENCES Silveira, F., Unsupervised Diagnosis of Network Traffic Anomalies. Ph.D thesis, Université Pierre et Marie Curie, Paris. Silveira, F. and Diot, C., URCA: Pulling Anomalies by their Root Causes. Proceedings of IEEE INFOCOM. Mai, J. et al, Is Sampled Data Sufficient for Anomaly Detection?. Proceedings of IMC, pp Brauckhoff, D. et al, Impact of Packet Sampling on Anomaly Detection Metrics. Proceedings of IMC, pp Lakhina, A. et al, Mining Anomalies Using Traffic Feature Distributions. Proceedings. of the ACM SIGCOMM, pp , Philadelphia. Brauckhoff, D. et al, Applying PCA for Traffic Anomaly Detection: Problems and Solutions. Proceedings of IEEE INFOCOM, Rio de Janeiro. Brutlag, J., Aberrant Behavior Detection in Time Series for Network Monitoring. Proceedings of the 14 th Systems Administration Conference (LISA 2000), pp , New Orleans. Silveira, F. et al, ASTUTE: Detecting a Different Class of Traffic Anomalies. Proceedings of the ACM SIGCOMM. Shannon, C., A Mathematical Theory of Communication. Bell System Technical Journal, vol. 27, pp and Koehler, A. et al, Forecasting Models and Prediction Intervals for the Multiplicative Holt-Winters Method. International Journal of Foreacsting, vol. 17, no. 2, pp Cisco Systems Inc., Netflow Services Solution Guide. referenced on May 2011.
Challenging the Supremacy of Traffic Matrices in Anomaly Detection
Challenging the Supremacy of Matrices in Detection ABSTRACT Augustin Soule Thomson Haakon Ringberg Princeton University Multiple network-wide anomaly detection techniques proposed in the literature define
More informationNetwork Traffic Anomaly Detection based on Ratio and Volume Analysis
190 Network Traffic Anomaly Detection based on Ratio and Volume Analysis Hyun Joo Kim, Jung C. Na, Jong S. Jang Active Security Technology Research Team Network Security Department Information Security
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationAnomaly detection for NFSen/nfdump netflow engine - with Holt-Winters algorithm
Anomaly detection for NFSen/nfdump netflow engine - with Holt-Winters algorithm János Mohácsi, Gábor Kiss NIIF/HUNGARNET Motivation Usual work of CSIRT teams: Find abnormal behaviour Visual detection of
More informationImpact of Packet Sampling on Anomaly Detection Metrics
Impact of Packet Sampling on Anomaly Detection Metrics ABSTRACT Daniela Brauckhoff, Bernhard Tellenbach, Arno Wagner, Martin May Department of Information Technology and Electrical Engineering Swiss Federal
More informationBasic Concepts in Intrusion Detection
Technology Technical Information Services Security Engineering Roma, L Università Roma Tor Vergata, 23 Aprile 2007 Basic Concepts in Intrusion Detection JOVAN GOLIĆ Outline 2 Introduction Classification
More informationReal-time detection and containment of network attacks using QoS Regulation
Real-time detection and containment of network attacks using QoS Regulation Seong Soo Kim and A. L. Narasimha Reddy Department of Electrical Engineering Texas A&M University College Station, TX 77843-3128,
More informationTowards Traffic Anomaly Detection via Reinforcement Learning and Data Flow
Towards Traffic Anomaly Detection via Reinforcement Learning and Data Flow Arturo Servin Computer Science, University of York aservin@cs.york.ac.uk Abstract. Protection of computer networks against security
More informationANOMALY detection techniques are the last line of defense
1788 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 20, NO. 6, DECEMBER 2012 Anomaly Extraction in Backbone Networks Using Association Rules Daniela Brauckhoff, Xenofontas Dimitropoulos, Arno Wagner, and Kavé
More informationTwo-Stage Opportunistic Sampling for Network Anomaly Detection
Two-Stage Opportunistic Sampling for Network Anomaly Detection Venkata Rama Prasad Vaddella, Member IEEE and Sridevi Rachakulla Abstract In this paper we propose the two stage opportunistic sampling technique
More informationA Comparison Between Divergence Measures for Network Anomaly Detection
A Comparison Between Divergence Measures for Network Anomaly Detection Jean Tajer, Ali Makke, Osman Salem, Ahmed Mehaoua To cite this version: Jean Tajer, Ali Makke, Osman Salem, Ahmed Mehaoua. A Comparison
More informationAccurate Anomaly Detection through Parallelism
Accurate Detection through Parallelism Shashank Shanbhag and Tilman Wolf, University of Massachusetts Abstract In this article we discuss the design and implementation of a real-time parallel anomaly system.
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationOSSIM Fast Guide
----------------- OSSIM Fast Guide ----------------- February 8, 2004 Julio Casal http://www.ossim.net WHAT IS OSSIM? In three phrases: - VERIFICATION may be OSSIM s most valuable contribution
More informationWorm Detection, Early Warning and Response Based on Local Victim Information
Worm Detection, Early Warning and Response Based on Local Victim Information Guofei Gu, Monirul Sharif, Xinzhou Qin, David Dagon, Wenke Lee, and George Riley Georgia Institute of Technology ACSAC'04 1
More informationNETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES
NETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES RENATO PREIGSCHADT DE AZEVEDO, DOUGLAS CAMARGO FOSTER, RAUL CERETTA NUNES, ALICE KOZAKEVICIUS Universidade
More informationUncovering Artifacts of Flow Measurement Tools
Uncovering Artifacts of Flow Measurement Tools Ítalo Cunha 1,2, Fernando Silveira 1,2, Ricardo Oliveira 3, Renata Teixeira 2, and Christophe Diot 1 1 Thomson 2 UPMC Paris Universitas 3 UCLA Abstract. This
More informationThe High Speed Intrusion Detection System
The High Speed Intrusion Detection System Yan Gao, Zhichun Li, and Yan Chen Department of Computer Science Northwestern University 1890 Maple Ave, Evanston, IL, USA 60201 {yga751, lizc, ychen}@cs.northwestern.edu
More informationEvidence Gathering for Network Security and Forensics DFRWS EU Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L.
Evidence Gathering for Network Security and Forensics DFRWS EU 2017 Dinil Mon Divakaran, Fok Kar Wai, Ido Nevat, Vrizlynn L. L. Thing Talk outline Context and problem Objective Evidence gathering framework
More informationImpact of bandwidth-delay product and non-responsive flows on the performance of queue management schemes
Impact of bandwidth-delay product and non-responsive flows on the performance of queue management schemes Zhili Zhao Dept. of Elec. Engg., 214 Zachry College Station, TX 77843-3128 A. L. Narasimha Reddy
More informationMultidimensional Aggregation for DNS monitoring
Multidimensional Aggregation for DNS monitoring Jérôme François, Lautaro Dolberg, Thomas Engel jerome.francois@inria.fr 03/11/15 2 1 Motivation 2 Aggregation 3 MAM 4 DNS applications 5 DNS monitoring 6
More informationData Sheet. DPtech Anti-DDoS Series. Overview. Series
Data Sheet DPtech Anti-DDoS Series DPtech Anti-DDoS Series Overview DoS (Denial of Service) leverage various service requests to exhaust victims system resources, causing the victim to deny service to
More informationMeans for Intrusion Detection. Intrusion Detection. INFO404 - Lecture 13. Content
Intrusion Detection INFO404 - Lecture 13 21.04.2009 nfoukia@infoscience.otago.ac.nz Content Definition Network vs. Host IDS Misuse vs. Behavior Based IDS Means for Intrusion Detection Definitions (1) Intrusion:
More informationDetecting Network Performance Anomalies with Contextual Anomaly Detection
Detecting Network Performance Anomalies with Contextual Anomaly Detection Giorgos Dimopoulos *, Pere Barlet-Ros *, Constantine Dovrolis, Ilias Leontiadis * UPC BarcelonaTech, Barcelona, {gd, pbarlet}@ac.upc.edu
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 18: Network Attacks Department of Computer Science and Engineering University at Buffalo 1 Lecture Overview Network attacks denial-of-service (DoS) attacks SYN
More informationImpact of Sampling on Anomaly Detection
Impact of Sampling on Anomaly Detection DIMACS/DyDan Workshop on Internet Tomography Chen-Nee Chuah Robust & Ubiquitous Networking (RUBINET) Lab http://www.ece.ucdavis.edu/rubinet Electrical & Computer
More informationIntrusion Prevention System Performance Metrics
White Paper Intrusion Prevention System Performance Metrics The Importance of Accurate Performance Metrics Network or system design success hinges on multiple factors, including the expected performance
More informationProvision of Quality of Service with Router Support
Provision of Quality of Service with Router Support Hongli Luo Department of Computer and Electrical Engineering Technology and Information System and Technology Indiana University Purdue University Fort
More informationFlowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks. Anna Giannakou, Daniel Gunter, Sean Peisert
Flowzilla: A Methodology for Detecting Data Transfer Anomalies in Research Networks Anna Giannakou, Daniel Gunter, Sean Peisert Research Networks Scientific applications that process large amounts of data
More informationMulticast Transport Protocol Analysis: Self-Similar Sources *
Multicast Transport Protocol Analysis: Self-Similar Sources * Mine Çağlar 1 Öznur Özkasap 2 1 Koç University, Department of Mathematics, Istanbul, Turkey 2 Koç University, Department of Computer Engineering,
More information! MonIPÊ Project! RNP! Performance Measurement!
RNP Performance Measurement MonIPÊ Project Network performance measurement service expansion using low cost, small form-factor hardware RNP Research and Development Division Outubro 2013 AGENDA About MonIPÊ
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks John Bethencourt, Jason Franklin, and Mary Vernon {bethenco, jfrankli, vernon}@cs.wisc.edu Computer Sciences Department University of Wisconsin, Madison
More informationANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS
ANALYSIS AND EVALUATION OF DISTRIBUTED DENIAL OF SERVICE ATTACKS IDENTIFICATION METHODS Saulius Grusnys, Ingrida Lagzdinyte Kaunas University of Technology, Department of Computer Networks, Studentu 50,
More informationConfiguring Anomaly Detection
CHAPTER 12 This chapter describes how to create multiple security policies and apply them to individual virtual sensors. It contains the following sections: Understanding Policies, page 12-1 Anomaly Detection
More informationAnalyzing a Human-based Trust Model for Mobile Ad Hoc Networks
Analyzing a Human-based Trust Model for Mobile Ad Hoc Networks Pedro B. Velloso 1, Rafael P. Laufer 2, Otto Carlos M. B. Duarte 3, and Guy Pujolle 1 1 Laboratoire d Informatique de Paris 6 (LIP6) 2 Computer
More informationSlides 11: Verification and Validation Models
Slides 11: Verification and Validation Models Purpose and Overview The goal of the validation process is: To produce a model that represents true behaviour closely enough for decision making purposes.
More informationMining Anomalies Using Traffic Feature Distributions
Mining Anomalies Using Traffic Feature Distributions Anukool Lakhina, Mark Crovella, and Christophe Diot Ý BUCS-TR-25-2 Abstract The increasing practicality of large-scale flow capture makes it possible
More informationAnomaly Detection in Network Traffic using Jensen-Shannon Divergence
IEEE ICC 0 - Wireless Networks Symposium Anomaly Detection in Network Traffic using Jensen-Shannon Divergence Osman Salem and Farid Naït-Abdesselam and Ahmed Mehaoua, LIPADE Laboratory, University Paris
More informationThe Subspace Method for Diagnosing Network-Wide Traffic Anomalies. Anukool Lakhina, Mark Crovella, Christophe Diot
The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella, Christophe Diot What s happening in my network? Is my customer being attacked? probed? infected? Is there
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ISSN: 2229-6948 (ONLINE) ICTACT JOURNAL OF COMMUNICATION TECHNOLOGY, JUNE 2010, VOLUME: 01, ISSUE: 02 DOI: 10.21917/ijct.2010.0013 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING
More informationMultivariate Correlation Analysis based detection of DOS with Tracebacking
1 Multivariate Correlation Analysis based detection of DOS with Tracebacking Jasheeda P Student Department of CSE Kathir College of Engineering Coimbatore jashi108@gmail.com T.K.P.Rajagopal Associate Professor
More informationMapping Internet Sensors with Probe Response Attacks
Mapping Internet Sensors with Probe Response Attacks Computer Sciences Department University of Wisconsin, Madison Introduction Outline Background Example Attack Introduction to the Attack Basic Probe
More informationEstimation of available bandwidth
Estimation of available bandwidth Sukhov A.M. *, Strizhov M.V., Samara State Aerospace University, Samara, Russia Platonov A.P., Russian Institute for Public Networks, Moscow, Russia Choi B.-Y., University
More informationAn Extension to Packet Filtering of Programmable Networks
An Extension to Packet Filtering of Programmable Networks Marcus Schöller, Thomas Gamer, Roland Bless, and Martina Zitterbart Institut für Telematik Universität Karlsruhe (TH), Germany Keywords: Programmable
More information1.1 SYMPTOMS OF DDoS ATTACK:
2018 IJSRSET Volume 4 Issue 4 Print ISSN: 2395-1990 Online ISSN : 2394-4099 Themed Section : Engineering and Technology An Efficient Entropy Based Approach for the Detection of DDOS Attack Abhilash Singh,
More informationDetecting Specific Threats
The following topics explain how to use preprocessors in a network analysis policy to detect specific threats: Introduction to Specific Threat Detection, page 1 Back Orifice Detection, page 1 Portscan
More informationConfiguring Anomaly Detection
CHAPTER 9 This chapter describes anomaly detection and its features and how to configure them. It contains the following topics: Understanding Security Policies, page 9-2 Understanding Anomaly Detection,
More informationFlooding Attacks by Exploiting Persistent Forwarding Loops
Flooding Attacks by Exploiting Persistent Forwarding Jianhong Xia, Lixin Gao, Teng Fei University of Massachusetts at Amherst {jxia, lgao, tfei}@ecs.umass.edu ABSTRACT In this paper, we present flooding
More informationChair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Network Security Chapter 8 System Vulnerabilities and Denial of Service Attacks System Vulnerabilities and
More informationUnderstanding the Internet
Announcements U.S. National Cybersecurity Understanding the Internet Axess Forum Bios/Photos Law School Event William J. Perry Martin Casado Keith Coleman Dan Wendlandt MS&E 91SI Spring 2004 Stanford University
More informationWiSHF L. Stathes Hadjiefthymiades National and Kapodistrian University of Athens
CONTEXTUAL INFERENCE OVER IOT NODES - UNITE - UFRJ Stathes Hadjiefthymiades National and Kapodistrian University of Athens The research leading to these results has received funding from the European Horizon
More informationNetwork Security. Chapter 0. Attacks and Attack Detection
Network Security Chapter 0 Attacks and Attack Detection 1 Attacks and Attack Detection Have you ever been attacked (in the IT security sense)? What kind of attacks do you know? 2 What can happen? Part
More informationComputer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2009 Lecture 5 Announcements First project: Due: 6 Feb. 2009 at 11:59 p.m. http://www.cis.upenn.edu/~cis551/project1.html Group project: 2 or 3 students
More informationA Network Intrusion Detection System Architecture Based on Snort and. Computational Intelligence
2nd International Conference on Electronics, Network and Computer Engineering (ICENCE 206) A Network Intrusion Detection System Architecture Based on Snort and Computational Intelligence Tao Liu, a, Da
More informationReformulating the monitor placement problem: Optimal Network-wide Sampling
Reformulating the monitor placement problem: Optimal Network-wide Sampling Gion-Reto Cantieni (EPFL) Gianluca Iannaconne (Intel) Chadi Barakat (INRIA Sophia Antipolis) Patrick Thiran (EPFL) Christophe
More informationNetwork Performance Analysis of an Adaptive OSPF Routing Strategy Effective Bandwidth Estimation
International Telecommunication Symposium ITS 22, Natal, Brazil Network Performance Analysis of an Adaptive OSPF Routing Strategy Effective Bandwidth Estimation Tatiana B. Pereira and Lee L. Ling UNICAMP,
More informationOur Narrow Focus Computer Networking Security Vulnerabilities. Outline Part II
Our Narrow Focus 15-441 15-441 Computer Networking 15-641 Lecture 22 Security: DOS Peter Steenkiste Fall 2016 www.cs.cmu.edu/~prs/15-441-f16 Yes: Creating a secure channel for communication (Part I) Protecting
More informationA Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models
A Two-Layered Anomaly Detection Technique based on Multi-modal Flow Behavior Models Marc Ph. Stoecklin Jean-Yves Le Boudec Andreas Kind
More informationProlexic Attack Report Q4 2011
Prolexic Attack Report Q4 2011 Prolexic believes the nature of DDoS attacks are changing: they are becoming more concentrated and damaging. Packet-per-second volume is increasing dramatically, while attack
More informationAnalysis of BGP security vulnerabilities
Edith Cowan University Research Online Australian Information Security Management Conference Conferences, Symposia and Campus Events 2011 Analysis of BGP security vulnerabilities Muhammad Mujtaba University
More informationCorrelative Analytic Methods in Large Scale Network Infrastructure Hariharan Krishnaswamy Senior Principal Engineer Dell EMC
Correlative Analytic Methods in Large Scale Network Infrastructure Hariharan Krishnaswamy Senior Principal Engineer Dell EMC 2018 Storage Developer Conference. Dell EMC. All Rights Reserved. 1 Data Center
More informationintelop Stealth IPS false Positive
There is a wide variety of network traffic. Servers can be using different operating systems, an FTP server application used in the demilitarized zone (DMZ) can be different from the one used in the corporate
More informationA Large Scale Simulation Study: Impact of Unresponsive Malicious Flows
A Large Scale Simulation Study: Impact of Unresponsive Malicious Flows Yen-Hung Hu, Debra Tang, Hyeong-Ah Choi 3 Abstract Researches have unveiled that about % of current Internet traffic is contributed
More informationMeasuring Defence Systems Against Flooding Attacks
Measuring Defence Systems Against Flooding Attacks Martine Bellaïche Génie Informatique, Ecole Polytechnique de Montréal Montréal, QC, CANADA email: martine.bellaiche@polymtl.ca Jean-Charles Grégoire INRS
More informationImpact of End-to-end QoS Connectivity on the Performance of Remote Wireless Local Networks
Impact of End-to-end QoS Connectivity on the Performance of Remote Wireless Local Networks Veselin Rakocevic School of Engineering and Mathematical Sciences City University London EC1V HB, UK V.Rakocevic@city.ac.uk
More informationMAD 12 Monitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation. Midori Kato, Kenjiro Cho, Michio Honda, Hideyuki Tokuda
MAD 12 Monitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation Midori Kato, Kenjiro Cho, Michio Honda, Hideyuki Tokuda 1 Background Traffic monitoring is important to detect
More informationMINI-PAPER A Gentle Introduction to the Analysis of Sequential Data
MINI-PAPER by Rong Pan, Ph.D., Assistant Professor of Industrial Engineering, Arizona State University We, applied statisticians and manufacturing engineers, often need to deal with sequential data, which
More informationANALYSIS OF THE CORRELATION BETWEEN PACKET LOSS AND NETWORK DELAY AND THEIR IMPACT IN THE PERFORMANCE OF SURGICAL TRAINING APPLICATIONS
ANALYSIS OF THE CORRELATION BETWEEN PACKET LOSS AND NETWORK DELAY AND THEIR IMPACT IN THE PERFORMANCE OF SURGICAL TRAINING APPLICATIONS JUAN CARLOS ARAGON SUMMIT STANFORD UNIVERSITY TABLE OF CONTENTS 1.
More informationData fusion algorithms for network anomaly detection: classification and evaluation
Data fusion algorithms for network anomaly detection: classification and evaluation V. Chatzigiannakis, G. Androulidakis, K. Pelechrinis, S. Papavassiliou and V. Maglaris Network Management & Optimal Design
More informationDeriving Network Traffic Signatures via Large Graphs
Deriving Network Traffic Signatures via Large Graphs hume@vt.edu www.hume.vt.edu Ahmed Abdelhadi (PI) Research Assistant Professor Outline Pattern of Life and IoT A Tractable Framework for POL Modeling
More informationLecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations
Lecture Notes on Critique of 1998 and 1999 DARPA IDS Evaluations Prateek Saxena March 3 2008 1 The Problems Today s lecture is on the discussion of the critique on 1998 and 1999 DARPA IDS evaluations conducted
More informationDetection and Identification of Network Anomalies Using Sketch Subspaces
Detection and Identification of Network Anomalies Using Sketch Subspaces X. Li F. Bian M. Crovella C. Diot R. Govindan G. Iannaccone A. Lakhina ABSTRACT Network anomaly detection using dimensionality reduction
More informationNetwork Bandwidth Utilization Prediction Based on Observed SNMP Data
160 TUTA/IOE/PCU Journal of the Institute of Engineering, 2017, 13(1): 160-168 TUTA/IOE/PCU Printed in Nepal Network Bandwidth Utilization Prediction Based on Observed SNMP Data Nandalal Rana 1, Krishna
More informationChapter 12. Routing and Routing Protocols 12-1
Chapter 12 Routing and Routing Protocols 12-1 Routing in Circuit Switched Network Many connections will need paths through more than one switch Need to find a route Efficiency Resilience Public telephone
More informationDemystifying Service Discovery: Implementing an Internet-Wide Scanner
Demystifying Service Discovery: Implementing an Internet-Wide Scanner Derek Leonard Joint work with Dmitri Loguinov Internet Research Lab Department of Computer Science and Engineering Texas A&M University,
More informationRED behavior with different packet sizes
RED behavior with different packet sizes Stefaan De Cnodder, Omar Elloumi *, Kenny Pauwels Traffic and Routing Technologies project Alcatel Corporate Research Center, Francis Wellesplein, 1-18 Antwerp,
More informationChapter 1. Introduction
Chapter 1 Introduction In a packet-switched network, packets are buffered when they cannot be processed or transmitted at the rate they arrive. There are three main reasons that a router, with generic
More informationA High-Speed PacketScore DDoS Defense System
TO BE PUBLISHED IN THE IEEE JOURNAL ON SELECTED AREAS IN COMMUNICATIONS, JUNE 26 1 A High-Speed PacketScore DDoS Defense System Paulo E. Ayres, Huizhong Sun, and H. Jonathan Chao payres1@utopia.poly.edu,
More informationIntrusion Detection - Snort
Intrusion Detection - Snort Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 Sometimes, Defenses Fail Our defenses aren t perfect Patches aren t applied promptly enough AV signatures
More informationCHAPTER 6 SOLUTION TO NETWORK TRAFFIC PROBLEM IN MIGRATING PARALLEL CRAWLERS USING FUZZY LOGIC
CHAPTER 6 SOLUTION TO NETWORK TRAFFIC PROBLEM IN MIGRATING PARALLEL CRAWLERS USING FUZZY LOGIC 6.1 Introduction The properties of the Internet that make web crawling challenging are its large amount of
More informationConfiguring Anomaly Detection
CHAPTER 9 Caution Anomaly detection assumes it gets traffic from both directions. If the sensor is configured to see only one direction of traffic, you should turn off anomaly detection. Otherwise, when
More informationANOMALY DETECTION IN COMMUNICTION NETWORKS
Anomaly Detection Summer School Lecture 2014 ANOMALY DETECTION IN COMMUNICTION NETWORKS Prof. D.J.Parish and Francisco Aparicio-Navarro Loughborough University (School of Electronic, Electrical and Systems
More informationSSL Automated Signatures
SSL Automated Signatures WilliamWilsonandJugalKalita DepartmentofComputerScience UniversityofColorado ColoradoSprings,CO80920USA wjwilson057@gmail.com and kalita@eas.uccs.edu Abstract In the last few years
More informationIntroduction to Cisco ASA Firewall Services
Firewall services are those ASA features that are focused on controlling access to the network, including services that block traffic and services that enable traffic flow between internal and external
More informationIP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks
1274 IEICE TRANS. INF. & SYST., VOL.E91-D, NO.5 MAY 2008 PAPER Special Section on Information and Communication System Security IP Packet Size Entropy-Based Scheme for Detection of DoS/DDoS Attacks Ping
More informationImpact of Black Hole and Sink Hole Attacks on Routing Protocols for WSN
Impact of Black Hole and Sink Hole Attacks on Routing Protocols for WSN Padmalaya Nayak V. Bhavani B. Lavanya ABSTRACT With the drastic growth of Internet and VLSI design, applications of WSNs are increasing
More informationDiscriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric
Discriminating DDoS Attacks from Flash Crowds in IPv6 networks using Entropy Variations and Sibson distance metric HeyShanthiniPandiyaKumari.S 1, Rajitha Nair.P 2 1 (Department of Computer Science &Engineering,
More informationNUMERICAL METHODS PERFORMANCE OPTIMIZATION IN ELECTROLYTES PROPERTIES MODELING
NUMERICAL METHODS PERFORMANCE OPTIMIZATION IN ELECTROLYTES PROPERTIES MODELING Dmitry Potapov National Research Nuclear University MEPHI, Russia, Moscow, Kashirskoe Highway, The European Laboratory for
More informationA Framework For Managing Emergent Transmissions In IP Networks
A Framework For Managing Emergent Transmissions In IP Networks Yen-Hung Hu Department of Computer Science Hampton University Hampton, Virginia 23668 Email: yenhung.hu@hamptonu.edu Robert Willis Department
More informationLevel 3 SM Enhanced Management - FAQs. Frequently Asked Questions for Level 3 Enhanced Management
Level 3 SM Enhanced Management - FAQs Frequently Asked Questions for Level 3 Enhanced Management 2015 Level 3 Communications, LLC. All rights reserved. 1 LAYER 3: CONVERGED SERVICES 5 Where can I find
More informationUsing traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry
Using traffic snapshots to detect DDoS attacks From state-of-the-art approaches to the industry Gilles Roudière 1 (PhD student) Philippe Owezarski 1, François Devienne 2 (Supervisors) 1, {gilles.roudiere,
More informationEECS 3214: Computer Network Protocols and Applications. Final Examination. Department of Computer Science and Engineering
Department of Computer Science and Engineering EECS 3214: Computer Network Protocols and Applications Final Examination Instructor: N. Vlajic Date: April 9, 2016 Instructions: Examination time: 180 min.
More informationBGP Routing: A study at Large Time Scale
BGP Routing: A study at Large Time Scale Georgos Siganos U.C. Riverside Dept. of Comp. Science siganos@cs.ucr.edu Michalis Faloutsos U.C. Riverside Dept. of Comp. Science michalis@cs.ucr.edu Abstract In
More informationDETECTION OF NETWORK ANOMALIES USING RANK TESTS
DETECTION OF NETWORK ANOMALIES USING RANK TESTS Céline Lévy-Leduc CNRS/LTCI/Télécom ParisTech 37/39, Rue Dareau - 754 Paris - Email: celine.levy-leduc@telecom-paristech.fr ABSTRACT We propose a novel and
More informationEECS 428 Final Project Report Distributed Real-Time Process Control Over TCP and the Internet Brian Robinson
EECS 428 Final Project Report Distributed Real-Time Process Control Over TCP and the Internet Brian Robinson 1.0 Introduction Distributed real-time process control, from a network communication view, involves
More informationVisualization of Internet Traffic Features
Visualization of Internet Traffic Features Jiraporn Pongsiri, Mital Parikh, Miroslova Raspopovic and Kavitha Chandra Center for Advanced Computation and Telecommunications University of Massachusetts Lowell,
More informationVideo AI Alerts An Artificial Intelligence-Based Approach to Anomaly Detection and Root Cause Analysis for OTT Video Publishers
Video AI Alerts An Artificial Intelligence-Based Approach to Anomaly Detection and Root Cause Analysis for OTT Video Publishers Live and on-demand programming delivered by over-the-top (OTT) will soon
More informationIdentifying Anomalous Traffic Using Delta Traffic. Tsuyoshi KONDOH and Keisuke ISHIBASHI Information Sharing Platform Labs. NTT
Identifying Anomalous Traffic Using Delta Traffic Tsuyoshi KONDOH and Keisuke ISHIBASHI Information Sharing Platform Labs. NTT Flocon2008, January 7 10, 2008, Savannah GA Outline Background and Motivation
More informationIntroduction. Can we use Google for networking research?
Unconstrained Profiling of Internet Endpoints via Information on the Web ( Googling the Internet) Ionut Trestian1 Soups Ranjan2 Aleksandar Kuzmanovic1 Antonio Nucci2 1 Northwestern 2 Narus University Inc.
More informationEnhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER
Enhancing DDoS protection TAYLOR HARRIS SECURITY ENGINEER Overview DDoS Evolution Typical Reactive/Proactive Mitigation Challenges and Obstacles BGP Flowspec Automated Flowspec Mitigation 2 DDoS Evolution
More information