A Signal Analysis of Network Traffic Anomalies

Similar documents
A Signal Analysis of Network Traffic Anomalies

76 days Wed 8/24/16 Wed 12/7/16 Daniel Wang,Shreyas Makde,Madhavi Potluri,Roua 2 Requirements analysis 11 days Wed 8/24/16 Wed 9/7/16

Topics in P2P Networked Systems

Traffic Anomaly Detection at Fine Time Scales with Bayes Nets

Introduction to Network Security Missouri S&T University CPE 5420 Anomaly Detection

On the 95-percentile billing method

A Levy Alpha Stable Model for Anomaly Detection in Network Traffic

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

AIMMS Function Reference - Date Time Related Identifiers

Internet Threat Detection System Using Bayesian Estimation

Manual Summary Split. Inactive Task. Inactive Task. Finish-only Progress Deadline External Tasks. Inactive Milestone Inactive Summary Manual Task

Improving Accuracy in End-to-end Packet Loss Measurement

Network Traffic Anomaly Detection based on Ratio and Volume Analysis

18050 (2.48 pages/visit) Jul Sep May Jun Aug Number of visits

Impact of Sampling on Anomaly Detection

Private Swimming Lessons

Content Delivery and File Sharing in the Modern Internet

You submitted this homework on Sun 23 Feb :12 PM PST. You got a score of 5.00 out of 5.00.

Network Anomaly Confirmation, Diagnosis and Remediation

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

10/16/2016 CPET 490 SENIOR DESIGN PROJECT PHASE I ANDROID GOLF STATISTICS TRACKER. Brad Sorensen Kory Martin PROJECT SUMMARY

Lecture Notes: ESC 101

A First Look at QUIC in the Wild

A Rendezvous-based Paradigm for Analysis of Solicited and Unsolicited Traffic

CSCD 443/533 Advanced Networks

BatteryStats.com Page 1 of 9

Advancing the Art of Internet Edge Outage Detection

NETWORK TRAFFIC ANALYSIS - A DIFFERENT APPROACH USING INCOMING AND OUTGOING TRAFFIC DIFFERENCES

BUT2 7day 11/4/07 11:07 PM Page 1. Introduction

INFORMATION TECHNOLOGY SPREADSHEETS. Part 1

Anomaly Detection in Network Traffic: A Statistical Approach

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Opportunities for Exploiting Social Awareness in Overlay Networks. Bruce Maggs Duke University Akamai Technologies

Olympus Digital Voice Recorder Vn 8100pc

Overview Intrusion Detection Systems and Practices

Olympus Digital Voice Recorder Vn 702pc

Traffic Patterns in Peer-to-Peer-Networking. Christian Schindelhauer. joint work with Amir Alsbih Thomas Janson

TCA metric #3. TCA and fair execution. The metrics that the FX industry must use.

Arrays III and Enumerated Types

Exposing server performance to network managers through passive network measurements

Task Name Duration % Complete Start Finish

Traffic Classification Using Visual Motifs: An Empirical Evaluation

Today we spend some time in programming with the internet and their protocols too. Hope you did already work with the Starter 1 and 2 or 3 and 4 at:

(3.62 Pages/Visit) * Not viewed traffic includes traffic generated by robots, worms, or replies with special HTTP status codes.

Analyzing Cacheable Traffic in ISP Access Networks for Micro CDN applications via Content-Centric Networking

Unique visitors Number of visits Pages Hits Bandwidth (1.64 visits/visitor) 850 (2.47 Pages/Visit)

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

CS 640: Introduction to Computer Networks

Monitoring and Analysis

1 of 10 8/10/2009 4:51 PM

SCHEDULED PROGRAMMES/COURSES APRIL 2017 MARCH 2018 (MIND KINGSTON / MANDEVILLE CAMPUSES & MONTEGO BAY)

NORTHWEST. Course Schedule: Through June 2018 MICROSOFT ACCESS. Access 2016 / Access 2010 / Last Revised: 11/13/2017

Network Heartbeat Traffic Characterization. Mackenzie Haffey Martin Arlitt Carey Williamson Department of Computer Science University of Calgary

Dixit Verma Characterization and Implications of Flash Crowds and DoS attacks on websites

Java Programming Language Mr.Rungrote Phonkam

Statistics for cornish-maine.org ( )... 4/25/15, 12:07 PM

The Challenges of Measuring Wireless Networks. David Kotz Dartmouth College August 2005

Lecture 15: Measurement Studies on Internet Routing

Brief History of Networking. Lecture 34: How does a computer send messages over the Internet? Modern Internet. Caveat: Internet Web 11/22/10

Peering at Peerings: On the Role of IXP Route Servers

First Steps to Using a PacketShaper

CS November 2018

CIMA Certificate BA Interactive Timetable

Accurate and Efficient SLA Compliance Monitoring

The Subspace Method for Diagnosing Network-Wide Traffic Anomalies. Anukool Lakhina, Mark Crovella, Christophe Diot

0-60: Lessons Learned from Creating a Successful Ecommerce Program From Scratch

Statistics for cornish-maine.org ( ) - main

Distributed Systems. 21. Content Delivery Networks (CDN) Paul Krzyzanowski. Rutgers University. Fall 2018

Citrix 1Y0-A11. 1Y0-A11 Basic Administration for Citrix NetScaler 9.0. Practice Test. Version

SCHEDULED PROGRAMMES/COURSES APRIL 2018 MARCH 2019 (MIND KINGSTON / MANDEVILLE CAMPUSES & MONTEGO BAY)

COOLING WHAT ARE THE OPTIONS AND THE PROS AND CONS FOR THE VARIOUS TYPES OF DATACENTRES SERVER AND COMMS ROOMS

Trisul Network Analytics - Traffic Analyzer

Accurate Anomaly Detection through Parallelism

Stager. A Web Based Application for Presenting Network Statistics. Arne Øslebø

Single-pass restore after a media failure. Caetano Sauer, Goetz Graefe, Theo Härder

Identifying Anomalous Traffic Using Delta Traffic. Tsuyoshi KONDOH and Keisuke ISHIBASHI Information Sharing Platform Labs. NTT

Package RcppBDT. August 29, 2016

sample Sample Hotel Monthly Bandwidth Report For the Month of: February 2010 STR #: XXXXX Date Created: March 2011 Tab

Memento: Time Travel for the Web

Sample Hotel Monthly Bandwidth Report

Scientific Programming in C X. More features & Fortran interface

Package taskscheduler

IVR (Interactive Voice Response) Operation Manual

Olympus Digital Voice Recorder Vn 7200

BUP2 5/2 12/4/07 12:49 AM Page 1. Introduction

Operational Experiences With High-Volume Network Intrusion Detection

Software Security. Final Exam Preparation. Be aware, there is no guarantee for the correctness of the answers!

Forwarding Logs Using Tail2Syslog. Release Security Threat Response Manager. Juniper Networks, Inc.

Uncovering Artifacts of Flow Measurement Tools

Analysis of WLAN Traffic in the Wild

I I. I I Wed 28-Jan-I WW1 - External Data I. EPF 29.5 Water Results. Consent of copyright owner required for any other use.

HP HP OpenView Network Node Manager II (6.x) - UNIX/NT. Download Full Version :

CSE/EE 461 Lecture 16 TCP Congestion Control. TCP Congestion Control

Some Observations of Internet Stream Lifetimes

Memorex Digital Voice Recorder

Urban Social Networks

Anomaly Detection of Network Traffic Based on Analytical Discrete Wavelet Transform. Author : Marius SALAGEAN, Ioana FIROIU 10 JUNE /06/10


Lab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2

10) LEVEL 4 Assessment Success Pack. EOY Target: Teacher: WA Grade: Targets: Name: Class:

Transcription:

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin Madison Fall,

Overview Motivation: Anomaly detection remains difficult Objective: Improve understanding of traffic anomalies Approach: Multiresolution analysis of data set that includes IP flow, SNMP and an anomaly catalog Method: Integrated Measurement Analysis Platform for Internet Traffic (IMAPIT) Results: Identify anomaly characteristics using wavelets and develop new method for exposing short-lived events pb@cs.wisc.ecdu

Our Data Sets Consider anomalies in IP flow and SNMP data Collected at UW border router (Juniper M1) Archive of ~6 months worth of data (packets, bytes, flows) Includes catalog of anomalies (after-the-fact analysis) Group observed anomalies into four categories Network anomalies (41) Steep drop offs in service followed by quick return to normal behavior Flash crowd anomalies (4) Steep increase in service followed by slow return to normal behavior Attack anomalies (46) Steep increase in flows in one direction followed by quick return to normal behavior Measurement anomalies (18) Short-lived anomalies which are not network anomalies or attacks pb@cs.wisc.ecdu 3

pb@cs.wisc.ecdu 4

Multiresolution Analysis Wavelets provide a means for describing time series data that considers both frequency and time Powerful means for characterizing data with sharp spikes and discontinuities Using wavelets can be quite tricky We use tools developed at UW which together make up IMAPIT FlowScan software The IDR Framenet software pb@cs.wisc.ecdu 5

Our Wavelet System After evaluating different candidates we selected a wavelet system called Pseudo Splines(4,1) Type. A framelet system developed by Daubechies et al. Very good frequency localization properties Three output signals are extracted Low Frequency (L): synthesis of all wavelet coefficients from level 9 and up Mid Frequency (M): synthesis of wavelet coefficients 6, 7, 8 High Frequency (H): synthesis of wavelet coefficients 1 to 5 pb@cs.wisc.ecdu 6

Bytes/sec Ambient IP Flow Traffic One Autonomous System to Campus, Inbound, 1-DEC-16 through 1-DEC-3 15 M bytes, original signal 1 M 5 M 6 M 4 M - -4 M -6 M bytes, high-band 4 M - bytes, mid-band -4 M 15 M bytes, low-band 1 M 5 M Sat Sun Mon Tue Wed Thu Fri Sat Sun pb@cs.wisc.ecdu 7

Bytes/sec Ambient SNMP Traffic One Interface to Campus, Inbound, 1-DEC-16 through 1-DEC-3 15 M bytes, original signal 1 M 5 M 6 M 4 M - -4 M -6 M bytes, high-band 4 M - bytes, mid-band -4 M 15 M bytes, low-band 1 M 5 M Sat Sun Mon Tue Wed Thu Fri Sat Sun pb@cs.wisc.ecdu 8

Byte Traffic for Flash Crowd Bytes/sec 3 M 5 M 15 M 1 M 5 M Class-B Network, Outbound, 1-SEP-3 through 1-NOV-5 Outbound Class-B Network Bytes, original signal 5 M Outbound Class-B Network Bytes, mid-band -5 M -1 M 15 M Outbound Class-B Network Bytes, low-band 1 M 5 M Oct-1 Oct-8 Oct-15 Oct- Oct-9 Nov-5 Nov-1 Nov-19 Nov-6 pb@cs.wisc.ecdu 9

Average Packet Size for Flash Crowd 15 Campus HTTP, Outbound, 1-SEP-3 through 1-NOV-5 Bytes 1 5 3 1-1 - -3 outbound HTTP average packet size signal outound HTTP average packet size, mid-band 15 1 5 outbound HTTP average packet size, low-band Oct-1 Oct-8 Oct-15 Oct- Oct-9 Nov-5 Nov-1 Nov-19 Nov-6 pb@cs.wisc.ecdu 1

Flow Traffic During DoS Attacks Flows/sec 4 3 1 15 1 5 3 1-1 - -3 4 3 1 Campus TCP, Inbound, -FEB-3 through -FEB-1 Inbound TCP Flows, original signal Inbound TCP Flows, high-band Inbound TCP Flows, mid-band Inbound TCP Flows, low-band Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 11

Byte Traffic During Measurement Anomalies Bytes/sec 3 M 1 M 8 M 6 M 4 M - -4 M 6 M 4 M - 3 M 1 M Campus TCP, Inbound, -FEB-1 through -FEB-17 Inbound TCP Bytes, original signal Inbound TCP Bytes, high-band Inbound TCP Bytes, mid-band Inbound TCP Bytes, low-band Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 1

Anomaly Detection via Deviation Short-lived anomalies can be identified automatically based on variability in H and M signals 1. Compute local variability (using specified window) of H and M parts of signal. Combine local variability of H and M signals (using a weighted sum) and normalize by total variability to get deviation score V 3. Apply threshold to V then measure peaks Analysis shows that V peaks over. indicate shortlived anomalies with high confidence We threshold at V = and set window size to 3 hours pb@cs.wisc.ecdu 13

Deviation for Three Anomalies 5 k 4 k Campus TCP, Inbound, -FEB-3 through -FEB-1 Inbound TCP Packets Deviation Packets/sec 3 k k 1 k Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 14

Deviation for Network Outage 3 M Inbound Outbound Bytes/sec 1 M 4 k Pkts/sec Flows/sec 3 k k 1 k 15 1 5 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 15

Anomalies in Aggregate Signals Bytes/sec 6 k 5 k 4 k 3 k k 1 k k Inbound Outbound Pkts/sec 15 k 1 k 5 k Flows/sec 15 1 5 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat 3 M Inbound Outbound Bytes/sec 1 M Pkts/sec Flows/sec 5 k 4 k 3 k k 1 k 3 5 15 1 5 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 16

Hidden Anomalies in Low Frequency Bytes/sec 1 M 8 M 6 M 4 M 3 M 1 M -1 M - 3 M 1 M -1 M - -3 M 1 M 8 M 6 M 4 M Class-B Network, Outbound, 1-NOV-5 through 1-DEC-3 Outbound Bytes, original signal Outbound Bytes, high-band Outbound Bytes, mid-band Outbound Bytes, low-band Nov-7 Dec-4 Dec-11 Dec-18 Dec-5 pb@cs.wisc.ecdu 17

Deviation Evaluation How effective is deviation score at detecting anomalies? Compare versus set of 39 anomalies Set is unlikely to be complete so we don t treat false-positives Compare versus Holt-Winters Forecasting Time series technique Requires some configuration Holt-Winters reported many more positives and sometimes oscillated between values Total Candidate Anomalies 39 Candidates detected by Deviation 38 Candidates detected by Holt-Winters 37 pb@cs.wisc.ecdu 18

Conclusion and Next Steps We present an evaluation of signal characteristics of network traffic anomalies Using IP flow and SNMP data collected at UW border router IMAPIT developed to apply wavelet analysis to data Deviation score developed to automate anomaly detection Results Characteristics of anomalies exposed using different filters and data Deviation score appears promising as a detection method Future Development of anomaly classification methods Application of results in (distributed) detection systems pb@cs.wisc.ecdu 19

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback