Article

Free access

Mining anomalies using traffic feature distributions

Authors:

Anukool Lakhina,

Christophe DiotAuthors Info & Claims

SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

Pages 217 - 228

https://doi.org/10.1145/1080091.1080118

Published: 22 August 2005 Publication History

Abstract

The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for anomaly diagnosis is as yet unmet. We argue that the distributions of packet features (IP addresses and ports) observed in flow traces reveals both the presence and the structure of a wide range of anomalies. Using entropy as a summarization tool, we show that the analysis of feature distributions leads to significant advances on two fronts: (1) it enables highly sensitive detection of a wide range of anomalies, augmenting detections by volume-based methods, and (2) it enables automatic classification of anomalies via unsupervised learning. We show that using feature distributions, anomalies naturally fall into distinct and meaningful clusters. These clusters can be used to automatically classify anomalies and to uncover new anomaly types. We validate our claims on data from two backbone networks (Abilene and Geant) and conclude that feature distributions show promise as a key element of a fairly general network anomaly diagnosis framework.

References

[1]

Abilene Network Operations Center Weekly Reports. At http://www.abilene.iu.edu/routages.cgi.]]

[2]

Arbor Networks. At http://www.arbornetworks.com/.]]

[3]

P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In Internet Measurement Workshop, Marseille, November 2002.]]

Digital Library

[4]

J. Brutlag. Aberrant behavior detection in timeseries for network monitoring. In USENIX LISA, New Orleans, December 2000.]]

Digital Library

[5]

Cisco NetFlow. At www.cisco.com/warp/public/732/Tech/netflow/.]]

[6]

D. Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, February 1987.]]

Digital Library

[7]

R. Dunia and S. J. Qin. A subspace approach to multidimensional fault identification and reconstruction. American Institute of Chemical Engineers (AIChE) Journal, pages 1813--1831, 1998.]]

[8]

C. Estan, S. Savage, and G. Varghese. Automatically Inferring Patterns of Resource Consumption in Network Traffic. In ACM SIGCOMM, Karlsruhe, August 2003.]]

Digital Library

[9]

L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred. Statistical Approaches to DDoS Attack Detection and Response. DARPA Information Survivability Conference and Exposition (DISCEX), pages 303--314, April 2003.]]

[10]

A. Feldmann, A. Greenberg, C. Lund, N. Reingold, J. Rexford, and F. True. Deriving traffic demands for operational IP networks: Methodology and experience. In IEEE/ACM Transactions on Neworking, pages 265--279, June 2001.]]

Digital Library

[11]

A. Hussain, J. Heidemann, and C. Papadopoulos. A Framework for Classifying Denial of Service Attacks. In ACM SIGCOMM, Karlsruhe, August 2003.]]

Digital Library

[12]

J. Jung and B. Krishnamurthy and M. Rabinovich. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In WWW, Hawaii, May 2002.]]

Digital Library

[13]

J. E. Jackson and G. S. Mudholkar. Control procedures for residuals associated with Principal Component Analysis. Technometrics, pages 331--349, 1979.]]

[14]

J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy, May 2004.]]

[15]

Juniper Traffic Sampling. At www.juniper.net/techpubs/software/junos/junos60/swconfig60-policy/html/sampling-overview.html.]]

[16]

H. A. L. Kiers. Towards a standardized notation and terminology in multiway analysis. J. of Chemometrics, pages 105--122, 2000.]]

[17]

H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Usenix Security Symposium, San Diego, August 2004.]]

Digital Library

[18]

M.-S. Kim, H.-J. Kang, S.-C. Hung, S.-H. Chung, and J. W. Hong. A Flow-based Method for Abnormal Network Traffic Detection. In IEEE/IFIP Network Operations and Management Symposium, Seoul, April 2004.]]

[19]

S. Kim and A. L. N. Reddy. A Study of Analyzing Network Traffic as Images in Real-Time. In IEEE INFOCOM, 2005.]]

[20]

S. Kim, A. L. N. Reddy, and M. Vannucci. Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data. In Networking, 2004.]]

[21]

E. Kohler, J. Li, V. Paxson, and S. Shenker. Observed Structure of Addresses in IP Traffic. In Internet Measurement Workshop, Marseille, November 2002.]]

Digital Library

[22]

A. Lakhina, M. Crovella, and C. Diot. Characterization of Network-Wide Anomalies in Traffic Flows (Short Paper). In Internet Measurement Conference, 2004.]]

Digital Library

[23]

A. Lakhina, M. Crovella, and C. Diot. Diagnosing Network-Wide Traffic Anomalies. In ACM SIGCOMM, Portland, August 2004.]]

Digital Library

[24]

A. Lakhina, M. Crovella, and C. Diot. Mining Anomalies Using Traffic Feature Distributions. Technical Report BUCS-TR-2005-002, Boston University, 2005.]]

Digital Library

[25]

A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, E. D. Kolaczyk, and N. Taft. Structural Analysis of Network Traffic Flows. In ACM SIGMETRICS, New York, June 2004.]]

Digital Library

[26]

W. Lee and D. Xiang. Information-Theoretic Measures for Anomaly Detection. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.]]

Digital Library

[27]

Pathdiag: Network Path Diagnostic Tools. At http://www.psc.edu/~web100/pathdiag/.]]

[28]

J. Pei, S. J. Upadhyaya, F. Farooq, and V. Govindaraju. Data Mining for Intrusion Detection - Techniques, Applications and Systems. In ICDE Tutorial, 2004.]]

Digital Library

[29]

Riverhead Networks. At http://www.riverhead.com/.]]

[30]

M. Roughan, T. Griffin, Z. M. Mao, A. Greenberg, and B. Freeman. Combining Routing and Traffic Data for Detection of IP Forwarding Anomalies. In ACM SIGCOMM NeTs Workshop, Portland, August 2004.]]

Digital Library

[31]

S. Sarvotham, R. Riedi, and R. Baraniuk. Network Traffic Analysis and Modeling at the Connection Level. In Internet Measurement Workshop, San Francisco, November 2001.]]

Digital Library

[32]

S. Schechter, J. Jung, and A. Berger. Fast Detection of Scanning Worm Infections. In Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolois, France, September 2004.]]

[33]

SLAC Internet End-to-end Performance Monitoring (IEPM-BW project). At http://www-iepm.slac.stanford.edu/bw/.]]

[34]

M. Thottan and C. Ji. Anomaly Detection in IP Networks. IEEE Trans. Signal Processing (Special issue of Signal Processing in Networking), pages 2191--2204, August 2003.]]

[35]

K. Xu, Z.-L. Zhang, and S. Bhattacharyya. Profiling Internet Backbone Traffic: Behavior Models and Applications. In ACM SIGCOMM, 2005.]]

Digital Library

[36]

Y. Zhang, S. Singh, S. Sen, N. Duffield, and C. Lund. Online Identification of Hierarchical Heavy Hitters: Algorithms, Evaluation, and Applications. In Internet Measurement Conference, Taormina, Italy, October 2004.]]

Digital Library

Cited By

Gao BLiu WLiu GNie F(2024)Resource Knowledge-Driven Heterogeneous Graph Learning for Website FingerprintingIEEE Transactions on Cognitive Communications and Networking10.1109/TCCN.2024.335053110:3(968-981)Online publication date: Jun-2024
https://doi.org/10.1109/TCCN.2024.3350531
Sakong WKim W(2024)An Adaptive Policy-Based Anomaly Object Control System for Enhanced CybersecurityIEEE Access10.1109/ACCESS.2024.338906712(55281-55291)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3389067
Mani SHsieh KSegarra SEberl TChandra RAzulai EAnnamalai NBansal DKandula S(2023)Securing Public Clouds using Dynamic Communication GraphsProceedings of the 22nd ACM Workshop on Hot Topics in Networks10.1145/3626111.3628198(272-279)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3626111.3628198
Show More Cited By

Index Terms

Mining anomalies using traffic feature distributions
1. Networks
  1. Network services

Recommendations

Diagnosing network-wide traffic anomalies
SIGCOMM '04: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications

Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret ...
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for ...
Diagnosing network-wide traffic anomalies

Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

August 2005

350 pages

ISBN:1595930094

DOI:10.1145/1080091

General Chair:
Roch Guerin
University of Pennsylvania
,
Program Chairs:
Ramesh Govindan
University of Southern California
,
Greg Minshall
Unaffiliated

ACM SIGCOMM Computer Communication Review Volume 35, Issue 4
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
October 2005
324 pages
ISSN:0146-4833
DOI:10.1145/1090191
Issue’s Table of Contents

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 August 2005

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

SIGCOMM05

Sponsor:

SIGCOMM05: ACM SIGCOMM 2005 Conference

August 22 - 26, 2005

Pennsylvania, Philadelphia, USA

Acceptance Rates

Overall Acceptance Rate 462 of 3,389 submissions, 14%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

913
Total Citations
View Citations
5,072
Total Downloads

Downloads (Last 12 months)236
Downloads (Last 6 weeks)37

Reflects downloads up to 01 Sep 2024

Other Metrics

View Author Metrics

Citations

Cited By

Gao BLiu WLiu GNie F(2024)Resource Knowledge-Driven Heterogeneous Graph Learning for Website FingerprintingIEEE Transactions on Cognitive Communications and Networking10.1109/TCCN.2024.335053110:3(968-981)Online publication date: Jun-2024
https://doi.org/10.1109/TCCN.2024.3350531
Sakong WKim W(2024)An Adaptive Policy-Based Anomaly Object Control System for Enhanced CybersecurityIEEE Access10.1109/ACCESS.2024.338906712(55281-55291)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3389067
Mani SHsieh KSegarra SEberl TChandra RAzulai EAnnamalai NBansal DKandula S(2023)Securing Public Clouds using Dynamic Communication GraphsProceedings of the 22nd ACM Workshop on Hot Topics in Networks10.1145/3626111.3628198(272-279)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3626111.3628198
Liu YGu YShen XLiao QYu Q(2023)MSCA: An Unsupervised Anomaly Detection System for Network Security in Backbone NetworkIEEE Transactions on Network Science and Engineering10.1109/TNSE.2022.320635310:1(223-238)Online publication date: 1-Jan-2023
https://doi.org/10.1109/TNSE.2022.3206353
Miao RZhang YZheng ZWang RZhang RYang TLiu ZJiang J(2023)CocoSketch: High-Performance Sketch-Based Measurement Over Arbitrary Partial Key QueryIEEE/ACM Transactions on Networking10.1109/TNET.2023.325722631:6(2653-2668)Online publication date: Dec-2023
https://doi.org/10.1109/TNET.2023.3257226
Raptis GKhan MStefanidis KKoulamas CSerpanos D(2023)Towards Run-Time Security Monitoring of Distributed Industrial Control Systems2023 IEEE 28th International Conference on Emerging Technologies and Factory Automation (ETFA)10.1109/ETFA54631.2023.10275618(1-8)Online publication date: 12-Sep-2023
https://doi.org/10.1109/ETFA54631.2023.10275618
Kumar RNalband A(2022)Network Intrusion Detection System using ML2022 4th International Conference on Advances in Computing, Communication Control and Networking (ICAC3N)10.1109/ICAC3N56670.2022.10074106(2490-2495)Online publication date: 16-Dec-2022
https://doi.org/10.1109/ICAC3N56670.2022.10074106
Zhu HQiao SLu YZhao X(2022)Research and application of substation operation auxiliary command technology2022 4th International Academic Exchange Conference on Science and Technology Innovation (IAECST)10.1109/IAECST57965.2022.10061966(177-183)Online publication date: 9-Dec-2022
https://doi.org/10.1109/IAECST57965.2022.10061966
Lai YTsai CChuang CKu XChen J(2022)Tabular Interpolation Approach Based on Stable Random Projection for Estimating Empirical Entropy of High-Speed Network TrafficIEEE Access10.1109/ACCESS.2022.321033610(104934-104953)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3210336
Russo MŠrndić NLaskov P(2021)Detection of illicit cryptomining using network metadataEURASIP Journal on Information Security10.1186/s13635-021-00126-12021:1Online publication date: 4-Dec-2021
https://doi.org/10.1186/s13635-021-00126-1
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents