A study on detecting network anomalies using sampled flow statistics

Ryoichi Kawahara; Tatsuya Mori; Noriaki Kamiyama; Shigeaki Harada; Shoichiro Asano

doi:10.1109/SAINT-W.2007.17

A study on detecting network anomalies using sampled flow statistics

Ryoichi Kawahara^*, Tatsuya Mori, Noriaki Kamiyama, Shigeaki Harada, Shoichiro Asano

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

17 Citations (Scopus)

Abstract

We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.

Original language	English
Title of host publication	2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
DOIs	https://doi.org/10.1109/SAINT-W.2007.17
Publication status	Published - 2007
Externally published	Yes
Event	2007 International Symposium on Applications and the Internet - Workshops, SAINT-W - Hiroshima, Japan Duration: 2007 Jan 15 → 2007 Jan 19

Publication series

Name	SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W

Conference

Conference	2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
Country/Territory	Japan
City	Hiroshima
Period	07/1/15 → 07/1/19

ASJC Scopus subject areas

Computer Networks and Communications
Computer Science Applications
Software

Access to Document

10.1109/SAINT-W.2007.17

Cite this

Kawahara, R., Mori, T., Kamiyama, N., Harada, S., & Asano, S. (2007). A study on detecting network anomalies using sampled flow statistics. In 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W Article 4090152 (SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W). https://doi.org/10.1109/SAINT-W.2007.17

A study on detecting network anomalies using sampled flow statistics. / Kawahara, Ryoichi; Mori, Tatsuya; Kamiyama, Noriaki et al.
2007 International Symposium on Applications and the Internet - Workshops, SAINT-W. 2007. 4090152 (SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kawahara, R, Mori, T, Kamiyama, N, Harada, S & Asano, S 2007, A study on detecting network anomalies using sampled flow statistics. in 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W., 4090152, SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W, 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W, Hiroshima, Japan, 07/1/15. https://doi.org/10.1109/SAINT-W.2007.17

@inproceedings{9ea6f311d60447dfa485128a797d0868,

title = "A study on detecting network anomalies using sampled flow statistics",

abstract = "We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.",

author = "Ryoichi Kawahara and Tatsuya Mori and Noriaki Kamiyama and Shigeaki Harada and Shoichiro Asano",

year = "2007",

doi = "10.1109/SAINT-W.2007.17",

language = "English",

isbn = "0769527574",

series = "SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W",

booktitle = "2007 International Symposium on Applications and the Internet - Workshops, SAINT-W",

note = "2007 International Symposium on Applications and the Internet - Workshops, SAINT-W ; Conference date: 15-01-2007 Through 19-01-2007",

}

TY - GEN

T1 - A study on detecting network anomalies using sampled flow statistics

AU - Kawahara, Ryoichi

AU - Mori, Tatsuya

AU - Kamiyama, Noriaki

AU - Harada, Shigeaki

AU - Asano, Shoichiro

PY - 2007

Y1 - 2007

N2 - We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.

AB - We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.

UR - http://www.scopus.com/inward/record.url?scp=46349085574&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=46349085574&partnerID=8YFLogxK

U2 - 10.1109/SAINT-W.2007.17

DO - 10.1109/SAINT-W.2007.17

M3 - Conference contribution

AN - SCOPUS:46349085574

SN - 0769527574

SN - 9780769527574

T3 - SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W

BT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W

T2 - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W

Y2 - 15 January 2007 through 19 January 2007

ER -

A study on detecting network anomalies using sampled flow statistics

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this