Mining Anomalies in Network-Wide Flow Data. Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Mining Anomalies in Network-Wide Flow Data. Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot"

Transcription

1 Mining Anomalies in Network-Wide Flow Data Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot SANOG-7, Mumbai, January, 00

2 Network Anomaly Diagnosis Am I being attacked? Is someone scanning my network? Are there worms spreading? A sudden traffic shift? An equipment outage? Something never seen before? A general, unsupervised method for reliably detecting and classifying network anomalies is needed

3 My Talk in One Slide A general system to detect & classify anomalies at ISPs and large enterprises Central Message: Network-wide analysis of NetFlow data can expose many anomalies Detect both operational & malicious incidents I am here to seek your feedback

4 x 0 OD flow i b Network-Wide Traffic Analysis 0 LA IPLS 8 x 07 x 0 7 x 0 7 Large Traffic Shifts (Operational Event) x 0 7 NYC SNVA Peak rate: 00Mbps; Attack rate ~ 9Mbps/flow LA IPLS Link c b HSTN Worm scan observable in network-wide traffic Fri Sat Sun Link d c Link f d Link i f NYC LA HSTN IPLS ATLA Distributed DOS Attack NYC

5 Collecting Network-Wide Traffic to Seattle from NYC Assemble network s traffic matrix to LA Traffic entering at the origin and leaving at the destination to Houston to Atlanta Use routing to aggregate NetFlow data into OD flows

6 Networks Evaluated Abilene research network (Internet) PoPs, OD flows, anonymized, /00 sampling, min bins Géant Europe research network (Dante) PoPs, 8 OD flows, not anonymized, /000 sampling, 0 min bins Sprint European commercial network PoPs, 9 OD flows, not anonymized, aggregated, /0 sampling, 0 min bins

7 But, This is Difficult to Analyze!. x 07 x 0 x 0. x 07. Traffic in OD Flow 9.. Traffic in OD Flow 8.. Traffic in OD Flow 7... Traffic in Ab. OD Flow x 0 7 x 0 x 0 x Traffic in Ab. OD Flow 7.. Traffic in OD Flow Traffic in Ab. OD Flow 9 Traffic in OD Flow x 0 x 0 x 0 8 x Traffic in OD Flow 7.. Traffic in OD Flow Traffic in OD Flow Traffic in OD Flow How do we extract anomalies and normal behavior from noisy, high-dimensional data? 7

8 The Subspace Method [LCD:SIGCOMM 0] An approach to separate normal & anomalous network-wide traffic Designate temporal patterns most common to all the traffic flows as the normal patterns Remaining temporal patterns form the anomalous patterns Detect anomalies by statistical thresholds on anomalous patterns 8

9 An example operational anomaly Multihomed customer CALREN reroutes around outage at LOSA 9

10 Summary of Anomaly Types Found [LCD:IMC0] False Alarms 9 Unknown Alpha DOS Scan Flash Crowd Point Multi Worm Outage Ingress Shift Unknown FalseAlarm 7 Alpha Traffic Shift Outage Worm Point-Multipoint Flash Events DOS Scans 0

11 Automatically Classifying Anomalies [LCD:SIGCOMM0] Goal: Classify anomalies without restricting yourself to a predefined set of anomalies Approach: Leverage -tuple header fields: SrcIP, SrcPort, DstIP, DstPort In particular, measure dispersion in fields Then, apply off-the-shelf clustering methods

12 Example of Anomaly Clusters Dispersed Legend (DstIP) Code Red Scanning Single source DOS attack Multi source DOS attack (SrcIP) (SrcIP) Summary: Concentrated Correctly classified 9 of Dispersed 9 injected anomalies

13 Summary Network-Wide Detection: Broad range of anomalies with low false alarms In papers: Highly sensitive detection, even when anomaly is % of background traffic Anomaly Classification: Feature clusters automatically classify anomalies In papers: clusters expose new anomalies Network-wide data and header analysis are promising for general anomaly diagnosis

14 Next steps Ongoing Work: implementing algorithms in a prototype system For more information, see papers & slides at: Your feedback much needed & appreciated! Data, deployment,

Characterization of Network-Wide Anomalies in Traffic Flows

Characterization of Network-Wide Anomalies in Traffic Flows Characterization of Network-Wide Anomalies in Traffic Flows Anukool Lakhina Dept. of Computer Science, Boston University anukool@cs.bu.edu Mark Crovella Dept. of Computer Science, Boston University crovella@cs.bu.edu

More information

Detecting Network Anomalies. Anant Shah

Detecting Network Anomalies. Anant Shah Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting

More information

Structural Analysis of Network Traffic Flows Eric Kolaczyk

Structural Analysis of Network Traffic Flows Eric Kolaczyk Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki, Mark Crovella, Christophe Diot, and Nina Taft Traditional Network Traffic Analysis Focus on Short stationary

More information

AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS

AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS Nita V. Jaiswal* Prof. D. M. Dakhne** Abstract: Current network monitoring systems rely strongly on signature-based and supervised-learning-based

More information

Monitoring sítí pomocí NetFlow dat od paketů ke strategiím

Monitoring sítí pomocí NetFlow dat od paketů ke strategiím Monitoring sítí pomocí NetFlow dat od paketů ke strategiím Martin Rehák, Karel Bartoš, Martin Grill, Jan Stiborek a Michal Svoboda ATG, České vysoké učení technické v Praze Jiří Novotný, Pavel Čeleda a

More information

Diagnosing Network Disruptions with Network-Wide Analysis

Diagnosing Network Disruptions with Network-Wide Analysis Diagnosing Network Disruptions with Network-Wide Analysis Yiyi Huang, Nick Feamster, Anukool Lakhina, Jun (Jim) Xu College of Computing, Georgia Tech, Guavus, Inc. ABSTRACT To maintain high availability

More information

CSAMP: A System for Network- Wide Flow Monitoring

CSAMP: A System for Network- Wide Flow Monitoring CSAMP: A System for Network- Wide Flow Monitoring Vyas Sekar,Michael K. Reiter, Walter Willinger, Hui Zhang,Ramana Rao Kompella, David G. Andersen Presentation by Beletsioti Georgia Flow measurements today

More information

A Real-time Network Traffic Profiling System

A Real-time Network Traffic Profiling System A Real-time Network Traffic Profiling System Kuai Xu, Feng Wang, Supratik Bhattacharyya, and Zhi-Li Zhang Abstract This paper presents the design and implementation of a real-time behavior profiling system

More information

Joint Entropy Analysis Model for DDoS Attack Detection

Joint Entropy Analysis Model for DDoS Attack Detection 2009 Fifth International Conference on Information Assurance and Security Joint Entropy Analysis Model for DDoS Attack Detection Hamza Rahmani, Nabil Sahli, Farouk Kammoun CRISTAL Lab., National School

More information

Manifold Learning Visualization of Network Traffic Data

Manifold Learning Visualization of Network Traffic Data Manifold Learning Visualization of Network Traffic Data Neal Patwari npatwari@eecs.umich.edu Alfred O. Hero III hero@eecs.umich.edu University of Michigan Dept. of Electrical Engineering and Computer Science

More information

Keywords Attack model, DDoS, Host Scan, Port Scan

Keywords Attack model, DDoS, Host Scan, Port Scan Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection

More information

Traffic Anomaly Detection and Characterization in the Tunisian National University Network

Traffic Anomaly Detection and Characterization in the Tunisian National University Network Traffic Anomaly Detection and Characterization in the Tunisian National University Network Khadija RAMAH 1, Hichem AYARI 2, Farouk KAMOUN 3 2,3 CRISTAL laboratory École Nationale des Sciences de l Informatique

More information

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK AUTONOMOUS NETWORK SECURITY FOR UNSUPERVISED DETECTION OF NETWORK ATTACKS MS. PRITI

More information

Mining Trends From Network Traffic Data for Security Systems

Mining Trends From Network Traffic Data for Security Systems Mining Trends From Network Traffic Data for Security Systems Jennifer Li Computer Science Department Louisiana State University jli13@tigers.lsu.edu Graduate Mentor: Blaine Nelson, Saurabh Amin, and Dr.

More information

Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks Jerry Chou, Bill Lin University of California, San Diego Subhabrata Sen, Oliver Spatscheck AT&T Labs-Research USENIX Security

More information

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu

More information

Echidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis

Echidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis Echidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis Abdun Mahmood, Christopher Leckie, Parampalli Udaya Department of Computer Science and Software Engineering University of

More information

Profiling the End Host

Profiling the End Host Profiling the End Host Thomas Karagiannis 1, Konstantina Papagiannaki 2, Nina Taft 2, and Michalis Faloutsos 3 1 Microsoft Research 2 Intel Research 3 UC Riverside Abstract. Profiling is emerging as a

More information

Outline. The Problem BGP/Routing Information. Netflow/Traffic Information. Conclusions

Outline. The Problem BGP/Routing Information. Netflow/Traffic Information. Conclusions Outline The Problem BGP/Routing Information BGP-Inspect Information Extraction from BGP Update messages VAST Internet AS topology Visualization Netflow/Traffic Information Flamingo Internet Traffic Exploration

More information

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System 1 Hyun-chul Kim, 2Jihoon Lee Dept. of Computer Software Engineering, Sangmyung Univ., hyunchulk@gmail.com

More information

Real-time Behavior Profiling for Network Monitoring

Real-time Behavior Profiling for Network Monitoring Real-time Behavior Profiling for Network Monitoring Kuai Xu Arizona State University E-mail: kuai.xu@asu.edu Corresponding author Feng Wang Arizona State University E-mail: fwang25@asu.edu Supratik Bhattacharyya

More information

Increasing Reliability in Network Traffic Anomaly Detection

Increasing Reliability in Network Traffic Anomaly Detection Increasing Reliability in Network Traffic Anomaly Detection Romain Thibault Fontugne DOCTOR OF PHILOSOPHY Department of Informatics, School of Multidisciplinary Sciences, The Graduate University for Advanced

More information

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B. ICND2 NetFlow Question 1 What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring B. Network Planning C. Security Analysis D. Accounting/Billing Answer: A C D NetFlow

More information

KNOM Tutorial 2003. Internet Traffic Measurement and Analysis. Sue Bok Moon Dept. of Computer Science

KNOM Tutorial 2003. Internet Traffic Measurement and Analysis. Sue Bok Moon Dept. of Computer Science KNOM Tutorial 2003 Internet Traffic Measurement and Analysis Sue Bok Moon Dept. of Computer Science Overview Definition of Traffic Matrix 4Traffic demand, delay, loss Applications of Traffic Matrix 4Engineering,

More information

CAMNEP: An intrusion detection system for highspeed

CAMNEP: An intrusion detection system for highspeed Progress in Informatics, No. 5, pp.65 74, (2008) 65 Special issue: The future of software engineering for security and privacy Research Paper CAMNEP: An intrusion detection system for highspeed networks

More information

Time-Frequency Detection Algorithm of Network Traffic Anomalies

Time-Frequency Detection Algorithm of Network Traffic Anomalies 2012 International Conference on Innovation and Information Management (ICIIM 2012) IPCSIT vol. 36 (2012) (2012) IACSIT Press, Singapore Time-Frequency Detection Algorithm of Network Traffic Anomalies

More information

Design and simulation of wireless network for Anomaly detection and prevention in network traffic with various approaches

Design and simulation of wireless network for Anomaly detection and prevention in network traffic with various approaches IJISE - International Journal of Innovative Science, Engineering & echnology, Vol. 1 Issue 5, July 2014. Design and simulation of wireless network for Anomaly detection and prevention in network traffic

More information

Structural Analysis of Network Traffic Flows

Structural Analysis of Network Traffic Flows Structural Analysis of Network Traffic Flows Anukool Lakhina, Konstantina Papagiannaki, Mark Crovella, Christophe Diot, Eric D. Kolaczyk, and Nina Taft ABSTRACT Network traffic arises from the superposition

More information

Managing Incompleteness, Complexity and Scale in Big Data

Managing Incompleteness, Complexity and Scale in Big Data Managing Incompleteness, Complexity and Scale in Big Data Nick Duffield Electrical and Computer Engineering Texas A&M University http://nickduffield.net/work Three Challenges for Big Data Complexity Problem:

More information

Network Anomaly Detection through Traffic Measurement

Network Anomaly Detection through Traffic Measurement Network Anomaly Detection through Traffic Measurement Yuming Jiang, Zhihua Jin, Atef Abdelkefi, Magnus Ask, Helge Skrautvol Abstract With the growth of the Internet, an increase in network anomalies is

More information

Service Description DDoS Mitigation Service

Service Description DDoS Mitigation Service Service Description DDoS Mitigation Service Interoute, Walbrook Building, 195 Marsh Wall, London, E14 9SG, UK Tel: +800 4683 7681 Email: info@interoute.com Contents Contents 1 Introduction...3 2 An Overview...3

More information

Conclusions and Future Directions

Conclusions and Future Directions Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions

More information

Kuai Xu* and Feng Wang. Supratik Bhattacharyya

Kuai Xu* and Feng Wang. Supratik Bhattacharyya Int. J. Internet Protocol Technology, Vol. 5, Nos. 1/2, 2010 65 Real-time behaviour profiling for network monitoring Kuai Xu* and Feng Wang Arizona State University, 4701 W. Thunderbird Road, Glendale,

More information

CISCO IOS NETFLOW AND SECURITY

CISCO IOS NETFLOW AND SECURITY CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network

More information

Online Detection of Network Traffic Anomalies Using Behavioral Distance

Online Detection of Network Traffic Anomalies Using Behavioral Distance Online Detection of Network Traffic Anomalies Using Behavioral Distance Hemant Sengar Xinyuan Wang Haining Wang Duminda Wijesekera Sushil Jajodia Technology Development Dept. Center for Secure Information

More information

Cisco IOS Flexible NetFlow Technology

Cisco IOS Flexible NetFlow Technology Cisco IOS Flexible NetFlow Technology Last Updated: December 2008 The Challenge: The ability to characterize IP traffic and understand the origin, the traffic destination, the time of day, the application

More information

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

A Review of Anomaly Detection Techniques in Network Intrusion Detection System A Review of Anomaly Detection Techniques in Network Intrusion Detection System Dr.D.V.S.S.Subrahmanyam Professor, Dept. of CSE, Sreyas Institute of Engineering & Technology, Hyderabad, India ABSTRACT:In

More information

Lightweight Detection of DoS Attacks

Lightweight Detection of DoS Attacks Lightweight Detection of DoS Attacks Sirikarn Pukkawanna *, Vasaka Visoottiviseth *, Panita Pongpaibool * Department of Computer Science, Mahidol University, Rama 6 Rd., Bangkok 10400, THAILAND E-mail:

More information

Flash Crowds & Denial of Service Attacks

Flash Crowds & Denial of Service Attacks Flash Crowds & Denial of Service Attacks Characterization and Implications for CDNs and Web sites Jaeyeon Jung MIT Laboratory for Computer Science Balachander Krishnamurthy and Michael Rabinovich AT&T

More information

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool Wayne Routly, Maurizio Molina - (DANTE) Ignasi Paredes-Oliva - Universitat Politècnica de Catalunya (UPC) Ashish

More information

System Specification. Author: CMU Team

System Specification. Author: CMU Team System Specification Author: CMU Team Date: 09/23/2005 Table of Contents: 1. Introduction...2 1.1. Enhancement of vulnerability scanning tools reports 2 1.2. Intelligent monitoring of traffic to detect

More information

Network-Wide Capacity Planning with Route Analytics

Network-Wide Capacity Planning with Route Analytics with Route Analytics Executive Summary Capacity planning is an important business process in large IP networks for ensuring reliable application and service delivery. In the days of fixed circuits and

More information

A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING

A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING AZRUDDIN AHMAD, GOBITHASAN RUDRUSAMY, RAHMAT BUDIARTO, AZMAN SAMSUDIN, SURESRAWAN RAMADASS. Network Research Group School of

More information

American Scientific Research Journal for Engineering, Technology, and Sciences (ASRJETS)

American Scientific Research Journal for Engineering, Technology, and Sciences (ASRJETS) American Scientific Research Journal for Engineering, Technology, and Sciences (ASRJETS) (Print & Online) ---------------------------------------------------------------------------------------------------------------------------

More information

Network Management & Monitoring

Network Management & Monitoring Network Management & Monitoring NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Monitoring Stealthy Network Conversations with Sampled Traffic

Monitoring Stealthy Network Conversations with Sampled Traffic Monitoring Stealthy Network Conversations with Sampled Traffic Anirudh Ramachandran, Srinivasan Seetharaman, Nick Feamster, Anukool Lakhina College of Computing, Georgia Tech Department of Computer Science,

More information

Detecting Anomalous Network Traffic in Organizational Private Networks

Detecting Anomalous Network Traffic in Organizational Private Networks Detecting Anomalous Network Traffic in Organizational Private Networks Risto Vaarandi 2013 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in

More information

On Entropy in Network Traffic Anomaly Detection

On Entropy in Network Traffic Anomaly Detection On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015 Jayro Santiago-Paz, Deni Torres-Roman. 1/19 On Entropy in Network

More information

How to build a Carrier-Grade Defense-Shield. Dr. Antonio Nucci Chief Technology Officer, Narus Inc.

How to build a Carrier-Grade Defense-Shield. Dr. Antonio Nucci Chief Technology Officer, Narus Inc. How to build a Carrier-Grade Defense-Shield Dr. Antonio Nucci Chief Technology Officer, Narus Inc. Agenda Security Market Landscape Approach to Efficiently and Shortly Detect DDoS/Worms 2 Take a walk on

More information

Netflow Overview. PacNOG 6 Nadi, Fiji

Netflow Overview. PacNOG 6 Nadi, Fiji Netflow Overview PacNOG 6 Nadi, Fiji Agenda Netflow What it is and how it works Uses and Applications Vendor Configurations/ Implementation Cisco and Juniper Flow-tools Architectural issues Software, tools

More information

Source-domain DDoS Prevention

Source-domain DDoS Prevention bhattacharjee, LTS S 05 Page: 0 Source-domain DDoS Prevention Bobby Bhattacharjee Christopher Kommareddy Mark Shayman Dave Levin Richard La Vahid Tabatabaee University of Maryland bhattacharjee, LTS S

More information

Le Routage Robuste Réactif Une combinaison de techniques d ingénierie de trafic proactives et réactives pour traiter le trafic dynamique de réseau

Le Routage Robuste Réactif Une combinaison de techniques d ingénierie de trafic proactives et réactives pour traiter le trafic dynamique de réseau Le Routage Robuste Réactif Une combinaison de techniques d ingénierie de trafic proactives et réactives pour traiter le trafic dynamique de réseau Pedro Casas et Sandrine Vaton Brest, France, 27-28 mars

More information

AS THE Internet continues to grow in size and complexity,

AS THE Internet continues to grow in size and complexity, IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 16, NO. 6, DECEMBER 2008 1241 Internet Traffic Behavior Profiling for Network Security Monitoring Kuai Xu, Zhi-Li Zhang, Member, IEEE, and Supratik Bhattacharyya

More information

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08 Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1 Network Security Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 2 Collaboration with Frank Akujobi

More information

Data Mining Part 5. Prediction

Data Mining Part 5. Prediction Data Mining Part 5. Prediction 5.1 Spring 2010 Instructor: Dr. Masoud Yaghini Outline Classification vs. Numeric Prediction Prediction Process Data Preparation Comparing Prediction Methods References Classification

More information

NSC 93-2213-E-110-045

NSC 93-2213-E-110-045 NSC93-2213-E-110-045 2004 8 1 2005 731 94 830 Introduction 1 Nowadays the Internet has become an important part of people s daily life. People receive emails, surf the web sites, and chat with friends

More information

Predicting Resource Usage of Arbitrary Network Traffic Queries

Predicting Resource Usage of Arbitrary Network Traffic Queries Predicting Resource Usage of Arbitrary Network Traffic Queries Pere Barlet-Ros, Gianluca Iannaccone, Josep Sanjuàs-Cuxart, Diego Amores-López, Josep Solé-Pareta Universitat Politècnica de Catalunya Barcelona,

More information

How is SUNET really used?

How is SUNET really used? MonNet a project for network and traffic monitoring How is SUNET really used? Results of traffic classification on backbone data Wolfgang John and Sven Tafvelin Dept. of Computer Science and Engineering

More information

Security Toolsets for ISP Defense

Security Toolsets for ISP Defense Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.

More information

Bio-Inspired Anomaly Detection

Bio-Inspired Anomaly Detection Bio-Inspired Anomaly Detection Cyber Security Division 2012 Principal Investigators Meeting 10/11/12 S. Raj Rajagopalan Scientist HP Labs/Honeywell Sraj.raj@gmail.com 908-305-1681 Bio-Inspired Anomaly

More information

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention

Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi

More information

EE627 Lecture 22. Multihoming Route Control Devices

EE627 Lecture 22. Multihoming Route Control Devices EE627 Lecture 22 Multihoming Route Control Devices 1 Multihoming Connect to multiple ISPs Provide reliability from access link/isp failures Potential for load balancing Intelligent Route Control Devices

More information

Page 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications

Page 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications Outline EEC 274 Internet Measurements & Analysis Spring Quarter, 2006 Traffic Measurements Traffic measurements What metrics are we interested in? Measurement and analysis methodologies Traffic characterization

More information

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log Complete. Simple. Affordable Copyright 2014 AlienVault. All rights reserved. AlienVault, AlienVault Unified Security Management, AlienVault USM, AlienVault Open Threat Exchange, AlienVault OTX, Open Threat

More information

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT

DDoS Protection. How Cisco IT Protects Against Distributed Denial of Service Attacks. A Cisco on Cisco Case Study: Inside Cisco IT DDoS Protection How Cisco IT Protects Against Distributed Denial of Service Attacks A Cisco on Cisco Case Study: Inside Cisco IT 1 Overview Challenge: Prevent low-bandwidth DDoS attacks coming from a broad

More information

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial Rocky K. C. Chang The Hong Kong Polytechnic University Presented by Scott McLaren 1 Overview DDoS overview Types of attacks

More information

Evaluating the Potential of Collaborative Anomaly Detection

Evaluating the Potential of Collaborative Anomaly Detection Evaluating the Potential of Collaborative Anomaly Detection Haakon Ringberg, Augustin Soule, and Matthew Caesar Princeton University, Thomson, UIUC Abstract. Unwanted traffic is a serious problem for users

More information

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT

HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest

More information

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack Asnita Hashim, University of Technology MARA, Malaysia April 14-15, 2011 The Integration of SNORT with K-Means Clustering

More information

Effect of sampling rate and monitoring granularity on anomaly detectability

Effect of sampling rate and monitoring granularity on anomaly detectability Effect of sampling rate and monitoring granularity on anomaly detectability Keisuke Ishibashi, Ryoichi Kawahara, Mori Tatsuya, Tsuyoshi Kondoh and Shoichiro Asano Information Sharing Platform Labs. NTT

More information

Intelligent Routing Platform White Paper

Intelligent Routing Platform White Paper White Paper Table of Contents 1. Executive Summary...3 2. The Challenge of a Multi-Homed Environment...4 3. Network Congestion and Blackouts...4 4. Intelligent Routing Platform...5 4.1 How It Works...5

More information

Reformulating the monitor placement problem: Optimal Network-wide wide Sampling

Reformulating the monitor placement problem: Optimal Network-wide wide Sampling Reformulating the monitor placement problem: Optimal Network-wide wide Sampling Gianluca Iannaccone Intel Research @ Cambridge Joint work with: G. Cantieni,, P. Thiran (EPFL) C. Barakat (INRIA), C. Diot

More information

A Survey on Intrusion Detection System with Data Mining Techniques

A Survey on Intrusion Detection System with Data Mining Techniques A Survey on Intrusion Detection System with Data Mining Techniques Ms. Ruth D 1, Mrs. Lovelin Ponn Felciah M 2 1 M.Phil Scholar, Department of Computer Science, Bishop Heber College (Autonomous), Trichirappalli,

More information

Automaton Models. Short Overview DRAFT. C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 1 / 13

Automaton Models. Short Overview DRAFT. C. Hammerschmidt (SnT) Automaton Models for NetFlows SnT 2015-07-24 1 / 13 Automaton Models for Netflow Analysis Fingerprinting and Classifying Participants NMRG Workshop, Prague, Czech Republic Friday, July 24th 2015 Christian A Hammerschmidt,christian.hammerschmidt@uni.lu Interdisciplinary

More information

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop

More information

Network Monitoring and Management NetFlow Overview

Network Monitoring and Management NetFlow Overview Network Monitoring and Management NetFlow Overview These materials are licensed under the Creative Commons Attribution-Noncommercial 3.0 Unported license (http://creativecommons.org/licenses/by-nc/3.0/)

More information

Unified Security Management

Unified Security Management Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy

More information

INTEGRATION OF AUDIT DATA ANALYSIS AND MINING TECHNIQUES INTO AIDE

INTEGRATION OF AUDIT DATA ANALYSIS AND MINING TECHNIQUES INTO AIDE AFRL-IF-RS-TR-2006-250 Final Technical Report July 2006 INTEGRATION OF AUDIT DATA ANALYSIS AND MINING TECHNIQUES INTO AIDE George Mason University APPROVED FOR PUBLIC RELEASE; DISTRIBUTION UNLIMITED. AIR

More information

In-Network PCA and Anomaly Detection

In-Network PCA and Anomaly Detection In-Network PCA and Anomaly Detection Ling Huang University of California Berkeley, CA 947 hling@cs.berkeley.edu XuanLong Nguyen University of California Berkeley, CA 947 xuanlong@cs.berkeley.edu Minos

More information

CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Intrusion Detection System 1 Intrusion Definitions A set of actions aimed to compromise the security

More information

PeerRush: Mining for Unwanted P2P Traffic

PeerRush: Mining for Unwanted P2P Traffic PeerRush: Mining for Unwanted P2P Traffic Babak Rahbarinia 1, Roberto Perdisci 1 Andrea Lanzi 2, and Kang Li 1 1 Dept. of Computer Science, University of Georgia, Athens, GA 30602, USA, babak,perdisci,kangli@cs.uga.edu

More information

8. 網路流量管理 Network Traffic Management

8. 網路流量管理 Network Traffic Management 8. 網路流量管理 Network Traffic Management Measurement vs. Metrics end-to-end performance topology, configuration, routing, link properties state active measurements active routes active topology link bit error

More information

Internet Security Systems

Internet Security Systems Internet Security Systems Monitoring the network to enhance visibility, integrity and preemtive protection ISS Company Background World s leading independent IT security provider World leader in security

More information

Network Monitoring Using Traffic Dispersion Graphs (TDGs)

Network Monitoring Using Traffic Dispersion Graphs (TDGs) Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George

More information

Hashdoop: A MapReduce Framework for Network Anomaly Detection

Hashdoop: A MapReduce Framework for Network Anomaly Detection Hashdoop: A MapReduce Framework for Network Anomaly Detection Romain Fontugne, Johan Mazel, Kensuke Fukuda National Institute of Informatics Japanese - French Laboratory for Informatics Tokyo, Japan Abstract

More information

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA Professor Yang Xiang Network Security and Computing Laboratory (NSCLab) School of Information Technology Deakin University, Melbourne, Australia http://anss.org.au/nsclab

More information

Hybrid Intrusion Detection System Using K-Means Algorithm

Hybrid Intrusion Detection System Using K-Means Algorithm International Journal of Computer Sciences and Engineering Open Access Review Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Hybrid Intrusion Detection System Using K-Means Algorithm Darshan K. Dagly 1*, Rohan

More information

Real-time Classification of IDS Alerts with Data Mining Techniques

Real-time Classification of IDS Alerts with Data Mining Techniques Real-time Classification of IDS Alerts with Data Mining Techniques Risto Vaarandi Copyright 2009 IEEE. Personal use of this material is permitted. However, permission to reprint/republish this material

More information

Abstract. 1 Introduction. CSAMP: A System for Network-Wide Flow Monitoring

Abstract. 1 Introduction. CSAMP: A System for Network-Wide Flow Monitoring CSAMP: A System for Network-Wide Flow Monitoring Vyas Sekar, Michael K. Reiter, Walter Willinger, Hui Zhang, Ramana Rao Kompella, David G. Andersen Carnegie Mellon University, UNC-Chapel Hill, AT&T Labs-Research,

More information

TELCO challenge: Learning and managing the network behavior

TELCO challenge: Learning and managing the network behavior TELCO challenge: Learning and managing the network behavior M.Sc. Ljupco Vangelski CEO, Scope Innovations Kiril Oncevski NOC, ISP Neotel Skopje Presentation overview Challenges for the modern network monitoring

More information

Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment *

Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment * LANOMS 2005-4th Latin American Network Operations and Management Symposium 53 Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment * Bruno Bogaz

More information

Signature-aware Traffic Monitoring with IPFIX 1

Signature-aware Traffic Monitoring with IPFIX 1 Signature-aware Traffic Monitoring with IPFIX 1 Youngseok Lee, Seongho Shin, and Taeck-geun Kwon Dept. of Computer Engineering, Chungnam National University, 220 Gungdong Yusonggu, Daejon, Korea, 305-764

More information

Characterizing Home Network Traffic: An Inside View

Characterizing Home Network Traffic: An Inside View Characterizing Home Network Traffic: An Inside View Kuai Xu 1,FengWang 1,LinGu 2, Jianhua Gao 3, and Yaohui Jin 4,5 1 Arizona State University 2 Hong Kong University of Science and Technology 3 Wuhan University

More information

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC)

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC ren-isac@iu.edu Copyright Trustees of Indiana University 2003. Permission is granted

More information

IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources

IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources Matthew Roughan (Univ. of Adelaide) Tim Griffin (Intel Research Labs) Z. Morley Mao (Univ. of Michigan) Albert Greenberg,

More information

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

CHAPTER 4 : CASE STUDY WEB APPLICATION DDOS ATTACK GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC : CASE STUDY WEB APPLICATION DDOS ATTACK 1 WEB APPLICATION DDOS ATTACK CASE STUDY MORAL Ensuring you have DoS/DDoS protection in place, before you are attacked, can pay off. OVERVIEW XYZ Corp (name changed

More information

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Integration Misuse and Anomaly Detection Techniques on Distributed Sensors Shih-Yi Tu Chung-Huang Yang Kouichi Sakurai Graduate Institute of Information and Computer Education, National Kaohsiung Normal

More information

LEISURE: A Framework for Load-Balanced Network-Wide Traffic Measurement

LEISURE: A Framework for Load-Balanced Network-Wide Traffic Measurement LEISURE: A Framework for Load-Balanced Network-Wide Traffic Measurement Chia-Wei Chang, Guanyao Huang, Bill Lin, Chen-Nee Chuah University of California, San Diego, University of California, Davis ABSTRACT

More information

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS WHITE PAPER INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS Network administrators and security teams can gain valuable insight into network health in real-time by

More information