Top

Published in:

2014 | OriginalPaper | Chapter

Large-Scale Traffic Anomaly Detection: Analysis of Real Netflow Datasets

Authors : Angelo Spognardi, Antonio Villani, Domenico Vitali, Luigi Vincenzo Mancini, Roberto Battistoni

Published in: E-Business and Telecommunications

Publisher: Springer Berlin Heidelberg

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

The analysis of large amount of traffic data is the daily routine of Autonomous Systems and ISP operators. The detection of anomalies like denial-of-service (DoS) or distributed denial-of-service (DDoS) is also one of the main issues for critical services and infrastructures. The suitability of metrics coming from the information theory for detecting DoS and DDoS episodes has been widely analyzed in the past. Unfortunately, their effectiveness are often evaluated on synthetic data set, or, in other cases, on old and unrepresentative data set, e.g. the DARPA network dump. This paper presents the evaluation by means of main metrics proposed in the literature of a real and large network flow dataset, collected from an Italian transit tier II Autonomous System (AS) located in Rome. We show how we effectively detected and analyzed several attacks against Italian critical IT services, some of them also publicly announced. We further report the study of others legitimate and malicious activities we found by ex-post analysis.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

previous chapter Encryption Schemes Secure Against Profiling Adversaries

next chapter Image Segmentation Using Diffusion Tracking Algorithm with Patch Oversampling

In this paper we refer to a border router as a router that connect two, or more, autonomous systems.

With the respect of the Non-Disclosure-Agreement of the ExTrABIRE project, no detailed information about AS (such as AS name or number) nor ISP interconnections will be provided in order to preserve AS and host privacy.

http://sourceforge.net/projects/nfdump/

https://github.com/icsecurity/fan

Chan, Y.-T.F., Shoniregun, C.A., Akmayeva, G.A..: A netflow based internet-worm detecting system in large network. In: Pichappan, P., Abraham, A. (eds.) Proceedings of Third IEEE International Conference on Digital Information Management (ICDIM), pp. 581–586. IEEE (2008)

Choo, K.-K.R.: High tech criminal threats to the national information infrastructure. Inf. Secur. Tech. Rep. 15, 104–111 (2010)CrossRef

Dübendorfer, T., Wagner, A., Plattner, B.: A framework for real-time worm attack detection and backbone monitoring. In: Proceedings of 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005) (2005)

Feinstein, L., Schnackenberg, D.: Statistical approaches to DDOS attack detection and response. In: Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 303–314 (2003)

Hofstede, R., Bartoš, V., Sperotto, A., Pras, A.: Towards real-time intrusion detection for netflow and ipfix. In: Proceedings of the 9th International Conference on Network and Service Management, pp. 1–6. International Federation for Information Processing (2013)

Hugh, J.M.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3, 262–294 (2000)CrossRef

Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for cdns and web sites. In: Proceedings of the 11th International Conference on World Wide Web, WWW ’02, pp. 293–304. ACM, New York (2002)

Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), vol. 35, No.4, pp. 229–240 (2005)

Lawniczak, A.T., Di Stefano, B.N., Wu, H.: Detection & study of DDoS attacks via entropy in data network models. In: Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, CISDA’09, pp. 59–66. IEEE Press, Piscataway (2009)

10.

Li, K., Zhou, W., Yu, S.: Effective metric for detecting distributed denial-of-service attacks based on information divergence. IET Commun. 3(12), 1851–1860 (2009)MathSciNetCrossRef

11.

Li, K., Zhou, W., Yu, S., Dai, B.: Effective DDoS attacks detection using generalized entropy metric. In: Hua, A., Chang, S.-L. (eds.) ICA3PP 2009. LNCS, vol. 5574, pp. 266–280. Springer, Heidelberg (2009) CrossRef

12.

Li, L., Zhou, J., Xiao, N.: DDoS attack detection algorithms based on entropy computing. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 452–466. Springer, Heidelberg (2007) CrossRef

13.

Mahoney, M.V., Chan, P.K.: An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003) CrossRef

14.

Mirkovic, J., Reiher, P.: A taxonomy of DDOS attack and DDOS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34, 39–53 (2004)CrossRef

15.

No, G., Ra, I., An efficient and reliable DDOS attack detection using a fast entropy computation method. In: Proceedings of the 9th International Conference on Communications and Information Technologies, ISCIT’09. pp. 1223–1228. IEEE Press, Piscataway (2009)

16.

Oshima, S., Nakashima, T., Sueyoshi, T.: DDoS detection technique using statistical analysis to generate quick response time. In: Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, BWCCA ’10, pp. 672–677. IEEE Computer Society, Washington, DC (2010)

17.

Oshima, S., Nakashima, T., Sueyoshi, T.: Early DoS/DDOS detection method using short-term statistics. In: Proceedings of the 2010 International Conference on Complex, Intelligent and Software Intensive Systems, CISIS ’10, pp. 168–173. IEEE Computer Society, Washington, DC (2010)

18.

Sardana, A., Joshi, R., Kim, T.: Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDOS attacks in ISP domain. In: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008), pp. 270–275. IEEE Computer Society, Washington, DC (2008)

19.

Silveira, F., Diot, C., Taft, N., Govindan, R.: ASTUTE: detecting a different class of anomalies. In: Proceedings of the ACM SIGCOMM Symposium on Network Architectures and Protocols, August 2010

20.

Cisco Systems. Cisco Systems NetFlow Services Export Version 9 (2004). http://tools.ietf.org/html/rfc3954

21.

Cisco Systems. Cisco 2011 Annual Security Repor, Highlighting global security threats and trends (2011). http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html

22.

Tao, Y., Yu, S.: Ddos attack detection at local area networks using information theoretical metrics. In: Proceedings of 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 233–240, July 2013

23.

Xiang, Y., Li, K., Zhou, W.: Low-rate DDOS attacks detection and traceback by using new information metrics. In: IEEE Transactions on Information Forensics and Security, vol. 99. IEEE Press (2011)

Title: Large-Scale Traffic Anomaly Detection: Analysis of Real Netflow Datasets
Authors: Angelo Spognardi
Antonio Villani
Domenico Vitali
Luigi Vincenzo Mancini
Roberto Battistoni
Publisher: Springer Berlin Heidelberg
Book: E-Business and Telecommunications
Print ISBN: 978-3-662-44790-1

Electronic ISBN: 978-3-662-44791-8

Copyright Year: 2014
DOI: https://doi.org/10.1007/978-3-662-44791-8_12

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner