Detection accuracy of network anomalies using sampled flow statistics

Ryoichi Kawahara; Keisuke Ishibashi; Tatsuya Mori; Noriaki Kamiyama; Shigeaki Harada; Shoichiro Asano

doi:10.1109/GLOCOM.2007.376

Detection accuracy of network anomalies using sampled flow statistics

Ryoichi Kawahara^*, Keisuke Ishibashi, Tatsuya Mori, Noriaki Kamiyama, Shigeaki Harada, Shoichiro Asano

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

7 Citations (Scopus)

Abstract

We investigate the detection accuracy of network anomalies when we use flow statistics obtained through packet sampling. We have already shown, through a case study based on measurement data, that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become hard to detect when we perform packet sampling. In this paper, we first develop an analytical model that enables us to quantitatively evaluate the effect of packet sampling on the detection accuracy and then investigate why detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning the monitored traffic into groups makes it possible to increase the detection accuracy. We also develop a method of determining an appropriate number of partitioned groups and show its effectiveness.

Original language	English
Title of host publication	IEEE GLOBECOM 2007 - 2007 IEEE Global Telecommunications Conference, Proceedings
Pages	1959-1964
Number of pages	6
DOIs	https://doi.org/10.1109/GLOCOM.2007.376
Publication status	Published - 2007
Externally published	Yes
Event	50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007 - Washington, DC, United States Duration: 2007 Nov 26 → 2007 Nov 30

Publication series

Name	GLOBECOM - IEEE Global Telecommunications Conference

Conference

Conference	50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007
Country/Territory	United States
City	Washington, DC
Period	07/11/26 → 07/11/30

ASJC Scopus subject areas

Engineering(all)

Access to Document

10.1109/GLOCOM.2007.376

Cite this

Detection accuracy of network anomalies using sampled flow statistics. / Kawahara, Ryoichi; Ishibashi, Keisuke; Mori, Tatsuya et al.
IEEE GLOBECOM 2007 - 2007 IEEE Global Telecommunications Conference, Proceedings. 2007. p. 1959-1964 4411286 (GLOBECOM - IEEE Global Telecommunications Conference).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Kawahara, R, Ishibashi, K, Mori, T, Kamiyama, N, Harada, S & Asano, S 2007, Detection accuracy of network anomalies using sampled flow statistics. in IEEE GLOBECOM 2007 - 2007 IEEE Global Telecommunications Conference, Proceedings., 4411286, GLOBECOM - IEEE Global Telecommunications Conference, pp. 1959-1964, 50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007, Washington, DC, United States, 07/11/26. https://doi.org/10.1109/GLOCOM.2007.376

@inproceedings{d704196eb4b74a41a0151699b3167ced,

title = "Detection accuracy of network anomalies using sampled flow statistics",

abstract = "We investigate the detection accuracy of network anomalies when we use flow statistics obtained through packet sampling. We have already shown, through a case study based on measurement data, that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become hard to detect when we perform packet sampling. In this paper, we first develop an analytical model that enables us to quantitatively evaluate the effect of packet sampling on the detection accuracy and then investigate why detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning the monitored traffic into groups makes it possible to increase the detection accuracy. We also develop a method of determining an appropriate number of partitioned groups and show its effectiveness.",

author = "Ryoichi Kawahara and Keisuke Ishibashi and Tatsuya Mori and Noriaki Kamiyama and Shigeaki Harada and Shoichiro Asano",

year = "2007",

doi = "10.1109/GLOCOM.2007.376",

language = "English",

isbn = "1424410436",

series = "GLOBECOM - IEEE Global Telecommunications Conference",

pages = "1959--1964",

booktitle = "IEEE GLOBECOM 2007 - 2007 IEEE Global Telecommunications Conference, Proceedings",

note = "50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007 ; Conference date: 26-11-2007 Through 30-11-2007",

}

TY - GEN

T1 - Detection accuracy of network anomalies using sampled flow statistics

AU - Kawahara, Ryoichi

AU - Ishibashi, Keisuke

AU - Mori, Tatsuya

AU - Kamiyama, Noriaki

AU - Harada, Shigeaki

AU - Asano, Shoichiro

PY - 2007

Y1 - 2007

N2 - We investigate the detection accuracy of network anomalies when we use flow statistics obtained through packet sampling. We have already shown, through a case study based on measurement data, that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become hard to detect when we perform packet sampling. In this paper, we first develop an analytical model that enables us to quantitatively evaluate the effect of packet sampling on the detection accuracy and then investigate why detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning the monitored traffic into groups makes it possible to increase the detection accuracy. We also develop a method of determining an appropriate number of partitioned groups and show its effectiveness.

AB - We investigate the detection accuracy of network anomalies when we use flow statistics obtained through packet sampling. We have already shown, through a case study based on measurement data, that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become hard to detect when we perform packet sampling. In this paper, we first develop an analytical model that enables us to quantitatively evaluate the effect of packet sampling on the detection accuracy and then investigate why detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning the monitored traffic into groups makes it possible to increase the detection accuracy. We also develop a method of determining an appropriate number of partitioned groups and show its effectiveness.

UR - http://www.scopus.com/inward/record.url?scp=39349105464&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=39349105464&partnerID=8YFLogxK

U2 - 10.1109/GLOCOM.2007.376

DO - 10.1109/GLOCOM.2007.376

M3 - Conference contribution

AN - SCOPUS:39349105464

SN - 1424410436

SN - 9781424410439

T3 - GLOBECOM - IEEE Global Telecommunications Conference

SP - 1959

EP - 1964

BT - IEEE GLOBECOM 2007 - 2007 IEEE Global Telecommunications Conference, Proceedings

T2 - 50th Annual IEEE Global Telecommunications Conference, GLOBECOM 2007

Y2 - 26 November 2007 through 30 November 2007

ER -

Detection accuracy of network anomalies using sampled flow statistics

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this