Contribution of the French MetroSec
|
|
- Lily Tucker
- 8 years ago
- Views:
Transcription
1 Contribution of the French MetroSec project to traffic anomalies detection ti Philippe OWEZARSKI LAAS-CNRS Toulouse, France With the contribution of Patrice Abry, Pierre Borgnat, Nicolas Larrieu, Antoine Scherrer, Silvia Farraposo Colloque STIC, Paris, 7 novembre
2 Outline 4 Traffic characteristics and IDS 4 A non Gaussian and long memory model for Internet traffic with anomalies 4 Model validation with traffic traces (with and without anomalies) 4 Anomalies/DDoS attacks detection 8With the non Gaussian and long memory model 8Using deltoids 4 Ongoing g and Future work Colloque STIC, Paris, 7 novembre
3 Limits of current IDS 4 Signature based: 8 Create a Data Base with known attack signatures 8 But the Data Base is always incomplete 8 New attacks cannot be detected 4 Profile based 8 Issuing a stable profile for the analyzed system 8 Compare the actual behavior with the typical profile 8 Able to detect t new attack Even if profile based IDS are not appreciated, at we like its ability to detect new attacks But what are Profile based IDS lacks? Traffic monitoring, in characterization, ti analysis and modeling should help to define traffic profile Colloque STIC, Paris, 7 novembre
4 Known traffic characteristics 4 Non Gaussian, non Poisson statistics 4 Long Range Dependence (LRD), Strong correlations 4 Traffic can look different according to the granularity of observation 4 And Traffic is highly variable! Colloque STIC, Paris, 7 novembre
5 Profile based IDS issues Traffic profiles in IDS do not consider such variability False positive rate is high Impossible to fix reliable thresholds Temporal evolution of the number of TCP/SYN packets A traffic profile cannot be based only on some averages (non Gaussian) High level statistics are required Colloque STIC, Paris, 7 novembre
6 Marginal laws 4 Distributions of empirical probabilities LBL-TCP-3 Δ=4ms Δ=32ms Δ=256ms 4 Poisson model? Exponential law? Gaussian? 4 What aggregation level to select? Colloque STIC, Paris, 7 novembre
7 Traffic Correlation (SRD and LRD) Hurst parameter, H = Colloque STIC, Paris, 7 novembre
8 What model for a non Gaussian and long memory process? Colloque STIC, Paris, 7 novembre
9 Non Gaussian with LRD model Joint modelling of 1st and 2 nd orders statistics ti ti 4 Packet aggregated g count process: X Δ Δ( (k) or X Δ (k) = #pkt during [kδ, (k+1)δ] 4 Bytes aggregated count process: W Δ (k) W Δ (k) = #bytes during [kδ, (k+1)δ] 1st. PDFs of marginals as gamma laws Note: one fit for each Δ 2 nd. Covariance (or spectrum) with LRD Covariance of a farima model Colloque STIC, Paris, 7 novembre
10 Gamma distributions Γ = Γ β β α β β α α x x x exp ) ( 1, 1 ) ( β β β ) ( Shape parameter α : can model from Gaussian to exponential ; 1/ α distance to Gaussian Scale parameter β : multiplicative factor Colloque STIC, Paris, 7 novembre Scale parameter β : multiplicative factor
11 Long memory from a farima model 4 Long range dependence covariance is a non-summable power-law spectrum f XΔ (ν): f γ XΔ (ν) C ν, ν 0, with 0<γ<1 4 Farima = fractionnaly integrated ARMA 1. Fractional integration with parameter d LRD with γ=2d 2. Short range correlation of an ARMA(1, 1) parameters θ, φ f X Δ ( ν ) = σ 2 ε 1 e i2πν 2d 1 θe 1 φeφ e i2 πν 2 i2πν 2 Colloque STIC, Paris, 7 novembre
12 Monitoring platform ENST DAG LIP6 Jussieu QoSMOS ENST-B INT RIPE TTM Mont de Marsan ENS Lyon Pau EURECOM IUT GTR LAAS Colloque STIC, Paris, 7 novembre
13 Traces for validation Data Date (start time) T (s) Network link # Pkts (10 6 ) IAT (ms) Repository PAUG (11:25) 2620 LAN(100BaseT) ita.ee.lbl.gov/index.html LBL-TCP (14:10) 7200 WAN(100BaseT) ita.ee.lbl.gov/index.html AUCK-IV (13:00) WAN(OC3) wand.cs.xaikato.ac.nz/wand/wits CAIDA (10:00) 600 Backbone(OC48) /oc48/ UNC (16:00) 3600 WAN(100BaseT) www-dirt.cs.unc.edu/ts METROSEC-ref (18:30) 5000 LAN(100BaseT) METROSEC-ref (02:00) 9000 LAN(100BaseT) METROSEC (20:00) 09(20:00) 9000 LAN(100BaseT) DDoS METROSEC-FC (14:30) 1800 LAN(100BaseT) Colloque STIC, Paris, 7 novembre
14 DDoS and flash crowds database Id trace beginning Trace duration(s) attack beginning Attack duration (s) Throughp ut Packet size ratio (%) Generated with Iperf R 17: : I 9: : II 14: : III 16: : IV 10: : V 10: : A 14: : B 16: : C 10: : Flash crowds (generated by humans) FC-1 13: : FC-2 15: : Colloque STIC, Paris, 7 novembre
15 Γ α,β farima (φ, d, θ) model validation 4 Parameters estimation: 8 1st order: Instead of the usual moment based technique which estimates μ and σ 2, we use maximum likelihood based estimates for α and β. 8 2 nd order: LRD (long memory) estimated with a multiresolution analysis, characterized by d,, the long memory parameter measured on an aggregation range Δ for which the log scale diagram is linear. From this wavelet base estimation of d, we perform a fractional derivation of X Δ. This removes the long memory from the process so that only the ARMA component is left. φ and θ are easy to estimate with an iterative procedure based on the Gauss-Newton algorithm. Colloque STIC, Paris, 7 novembre
16 Γ α,β farima (φ, d, θ) model validation 4 To assess the validity of the model with actual traffic traces, we made a comparative analysis of : 8Actual traces time series 8Γ αβ α,β farima (φ, d, θ) ) time series produced by a numerical generator designed for this purpose Colloque STIC, Paris, 7 novembre
17 AUCK-IV: Γ α,β farima (φ, d, θ) fits marginals covariances Δ=10ms Δ=100ms Δ=400ms j=1 corresponds to 10 ms Colloque STIC, Paris, 7 novembre
18 METROSEC-ref1: Γ α,β farima (φ, d, θ) fits marginals covariances Δ=10ms Δ=100ms Δ=400ms j=1 corresponds to 10 ms Colloque STIC, Paris, 7 novembre
19 METROSEC-DDoS & FC: Γ α,β marginals fits DDoS attack Flash crowd Δ=2ms Δ=32ms Colloque STIC, Paris, 7 novembre
20 Logscale diagrams for METROSEC-DDoS & FC DDoS Flash Crowd During After Before Colloque STIC, Paris, 7 novembre
21 Estimated α and β as a function of log 2 Δ During After Before DDoS Flash Crowd α β Colloque STIC, Paris, 7 novembre
22 DDoS impact on traffic (1) 4 α = shape parameter, 1/α quantifies the gap with a Gaussian law 4 β = scale parameter decreases during DDoS attack DDoS attack accelerates the convergence towards a Gaussian distribution ibuti of traces, and decreases the fluctuation scale around the average e traffic Colloque STIC, Paris, 7 novembre
23 DDoS impact on traffic (2) 4 Histograms 8Regular traffic: 0 at the origin α small but the variance (then β) is large 8DDoS attack: Equals 0 on an interval containing 0 fast increase of α and dispersion (the β) small and blocked Colloque STIC, Paris, 7 novembre
24 Partial conclusion 4Model M for characterizing r Internet traffic which works with and without anomalies 4Some parameters change differently in the presence of a legitimate (flash crowd) or illegitimate (DDoS) anomaly How to use such model for an efficient and robust profile based IDS? Colloque STIC, Paris, 7 novembre
25 Detection principles 4 Select a reference window 4 Segment the trace into sliding windows of duration T 4 For a window at time I: 8Aggregated trace at scales Δ=2j, j=1,...,j 8Estimation of parameters : α Δ (I), β Δ (I) 8Compute the distance to the reference, between I and R: D(I) 8Selection of a threshold λ: if D(I) λ, anomaly Colloque STIC, Paris, 7 novembre
26 Selection of the best distance (Basseville 89) 4Quadratic distance on parameters J = = J j j j R I j I D )) ( ) ( ( 1 ) ( α α α = = J j j j R I J I D )) ( ) ( ( 1 ) ( β β β 4Divergence of Kullback-Leibler; p1 and p2 are 2 p.d.f. = dx x p x p x p x p p p DK )) ( ln ) ( )(ln ( ) ( ( ) ( giving a distance with one or two scales: = dx x p x p x p x p p p DK )) ( ln ) ( )(ln ( ) ( ( ), ( g g ), ( ) (,, ) (1 R I D p p DK I K Δ Δ Δ = ) ( ) ( ) 2 ( D Colloque STIC, Paris, 7 novembre ), ( ) (, ',, ', ) (2 ', R I D p p DK I K Δ Δ Δ Δ Δ Δ =
27 Ex. 1 : Denial of Service attack D α (I) D β (I) Colloque STIC, Paris, 7 novembre
28 Ex. 2: Multiplicative increase of traffic D α (I) D β (I) Colloque STIC, Paris, 7 novembre
29 Ex. 3: Comparison between distances KL 1D, j=4 KL 1D, j=7 D α KL 2D, j=4,7 Colloque STIC, Paris, 7 novembre
30 Statistical performance: ROC curves 4 ROC curves: detection probability according to the fixed probability of false alarms 4 P D =f(p FA ) or P D =f(λ), P FA =f(λ) Colloque STIC, Paris, 7 novembre
31 Statistical performance: detection proba. Method #A #B #C #R #I #II #III #IV #V DQM Dα P FA 10% DK K 16 (1D) DK K (1D) DK K 16,128 (2D) DQM Dα P FA 20% DK K 16 (1D) DK K 128 (1D) DK K 16,128 (2D) Colloque STIC, Paris, 7 novembre
32 Conclusion on anomalies/attacks detection 4 Parameters of the Γ αβ α,β farima (φ, d, θ) ) model change differently depending on the type of anomaly 4 Kullback- Leibler distance allows a robust detection of attacks, even when they represent less than 1% of the traffic (and is not sensitive to an artificial increase of the amount of traffic) BUT: it is not possible with this method to identify anomaly constituting packets / flows Colloque STIC, Paris, 7 novembre
33 Objectives 4 Define an approach to 8Detect 8Classify 8Identify traffic anomalies (One or more occurrences that change the normal flowing of data over a network) 4 Define a signature for each traffic anomaly, based on simple parameters must be easy to handled by network administrators must permit the design of IPS Colloque STIC, Paris, 7 novembre
34 The NAD Algorithm 4 Multi-scale concept 4 Tomography-based concept 4 Generic multi-criteria 8 Uses simple mathematical functions, as volume parameters, to detect anomalous flows Number of packets per unit of time Number of bytes per unit of time Number of new flows per unit of time 8 Uses IP features (addresses and ports) to identify the anomalies Colloque STIC, Paris, 7 novembre
35 The NAD Algorithm (2) Multi-Scale 600sec 300sec 300sec... 60sec 60sec 60sec 60sec 60sec 60sec 60sec 60sec 60sec 60sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec 30sec Colloque STIC, Paris, 7 novembre
36 The NAD Algorithm (3) Tomography Colloque STIC, Paris, 7 novembre
37 Formal Definition 4 To detect an anomaly it must be responsible for a significant variation in one of the parameters deltoid based method Let, X = {x1,x2,...,xn}, xi = #{packet byte flows} and packet Δ = time X P = = pi pi _ granularit y { x1, x2,..., xn}, xi = {# packets # bytes # flows } { p1, p2,..., pn 1}, pi = xi + 1 xi E( p) + kσ, select < E( p) + kσ, reject / Δ Colloque STIC, Paris, 7 novembre
38 Some Types of Anomalies Port ID Port Scan Other type Network Scan Src IP DDoS Dst IP The distribution of points in plots can give a clue about the type of anomaly! Long flow Flash Crowd Dst IP Colloque STIC, Paris, 7 novembre
39 Flooding Attack Colloque STIC, Paris, 7 novembre
40 Signatures Denial of Service Colloque STIC, Paris, 7 novembre
41 Signatures Denial of Service n sp : n dp IP Source IP Source/Port IP Source/Port IP Source/Port n sp : 1 dp IP Source IP Source/Port IP Source/Port IP Source/Port Colloque STIC, Paris, 7 novembre
42 Flooding Attack Colloque STIC, Paris, 7 novembre
43 Signatures Network Scan IP Destination IP Destination IP Destination/Port Destinationn Port Colloque STIC, Paris, 7 novembre
44 Network Scan Colloque STIC, Paris, 7 novembre
45 NAD tool assessment Colloque STIC, Paris, 7 novembre
46 Contribution in anomalies detection 4 Experimental platform with monitoring and measurement capabilities 4 IDS assessment methodology 4 Its related database of traces with anaomalies 4Unfortunately not publicly available 4 Original anomalies detection, classification and identification algorithms 4Which proved to be efficient and accurate 4Which raised many interests : FT, WIDE, 4 Traffic generator Colloque STIC, Paris, 7 novembre
47 Ongoing and future Work 4 Performance comparison between our tools and several other detection tools (both research and commercial) 4 Fixing automatically threshold h 8Use honeypots results on botnets for this purpose 4 Using sketches on the Γ α,β farima (φ, d, θ), it is possible to detect the anomalies constituting packets (SIGCOMM LSAD 2007) Colloque STIC, Paris, 7 novembre
48 More information Colloque STIC, Paris, 7 novembre
NADA Network Anomaly Detection Algorithm
NADA Network Anomaly Detection Algorithm Sílvia Farraposo 1, Philippe Owezarski 2, Edmundo Monteiro 3 1 School of Technology and Management of Leiria Alto-Vieiro, Morro do Lena, 2411-901 Leiria, Apartado
More informationNon Gaussian and Long Range Dependent Internet Traffic Analysis
Laboratoire de l Informatique du Parallélisme École Normale Supérieure de Lyon Unité Mixte de Recherche CNRS-INRIA-ENS LYON-UCBL n o 8 Non Gaussian and Long Memory Statistical Characterisations for Internet
More informationNon Gaussian and Long Memory Statistical Modeling of Internet Traffic.
Non Gaussian and Long Memory Statistical Modeling of Internet Traffic. A. Scherrer 1, N. Larrieu, P. Borgnat 3, P. Owezarski, P. Abry 3 1 LIP (UMR CNRS), ENS Lyon, France LAAS-CNRS, Toulouse, France 3
More informationOn the Impact of DoS Attacks on Internet Traffic Characteristics and QoS
REPRINTED FROM: 1 On the Impact of DoS Attacks on Internet Traffic Characteristics and QoS Philippe OWEZARSKI LAAS CNRS 7, avenue du Colonel ROCHE 31077 TOULOUSE Cedex 4 FRANCE Email: owe@laas.fr Abstract
More informationDetecting Flooding Attacks Using Power Divergence
Detecting Flooding Attacks Using Power Divergence Jean Tajer IT Security for the Next Generation European Cup, Prague 17-19 February, 2012 PAGE 1 Agenda 1- Introduction 2- K-ary Sktech 3- Detection Threshold
More informationJoint Entropy Analysis Model for DDoS Attack Detection
2009 Fifth International Conference on Information Assurance and Security Joint Entropy Analysis Model for DDoS Attack Detection Hamza Rahmani, Nabil Sahli, Farouk Kammoun CRISTAL Lab., National School
More informationDetecting Anomalies in Network Traffic Using Maximum Entropy Estimation
Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation Yu Gu, Andrew McCallum, Don Towsley Department of Computer Science, University of Massachusetts, Amherst, MA 01003 Abstract We develop
More informationMonitoring for next generation Internet. owe@laas.fr
Monitoring for next generation Internet Philippe Owezarski LAAS-CNRS owe@laas.fr Fête E2EMON 28, de la science, Salvador LAAS-CNRS, de Bahia, 14 Brazil, octobre April 26 7th, 28 1 Disclaimer This keynote
More informationIP Network Monitoring and Measurements: Techniques and Experiences
IP Network Monitoring and Measurements: Techniques and Experiences Philippe Owezarski LAAS-CNRS Toulouse, France Owe@laas.fr 1 Outline 4 Introduction 4 Monitoring problematic 8Only based on network administration
More informationDenial of Service and Anomaly Detection
Denial of Service and Anomaly Detection Vasilios A. Siris Institute of Computer Science (ICS) FORTH, Crete, Greece vsiris@ics.forth.gr SCAMPI BoF, Zagreb, May 21 2002 Overview! What the problem is and
More informationDetecting Network Anomalies. Anant Shah
Detecting Network Anomalies using Traffic Modeling Anant Shah Anomaly Detection Anomalies are deviations from established behavior In most cases anomalies are indications of problems The science of extracting
More informationOn Entropy in Network Traffic Anomaly Detection
On Entropy in Network Traffic Anomaly Detection Jayro Santiago-Paz, Deni Torres-Roman. Cinvestav, Campus Guadalajara, Mexico November 2015 Jayro Santiago-Paz, Deni Torres-Roman. 1/19 On Entropy in Network
More informationInternet Traffic Variability (Long Range Dependency Effects) Dheeraj Reddy CS8803 Fall 2003
Internet Traffic Variability (Long Range Dependency Effects) Dheeraj Reddy CS8803 Fall 2003 Self-similarity and its evolution in Computer Network Measurements Prior models used Poisson-like models Origins
More informationActive Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds
Active Internet Traffic Filtering to Denial of Service Attacks from Flash Crowds S.Saranya Devi 1, K.Kanimozhi 2 1 Assistant professor, Department of Computer Science and Engineering, Vivekanandha Institute
More informationCHAPTER VII CONCLUSIONS
CHAPTER VII CONCLUSIONS To do successful research, you don t need to know everything, you just need to know of one thing that isn t known. -Arthur Schawlow In this chapter, we provide the summery of the
More informationA Novel Distributed Denial of Service (DDoS) Attacks Discriminating Detection in Flash Crowds
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
More informationSignal Processing Methods for Denial of Service Attack Detection
0 Signal Processing Methods for Denial of Service Attack Detection Urbashi Mitra Ming Hsieh Department of Electrical Engineering Viterbi School of Engineering University of Southern California Los Angeles,
More informationSci.Int.(Lahore),26(5),2097-2102,2014 ISSN 1013-5316; CODEN: SINTE 8 2097
Sci.Int.(Lahore),26(5),2097-2102,2014 ISSN 1013-5316; CODEN: SINTE 8 2097 DETECTION OF NETWORK TRAFFIC ABNORMALITIES USING LRD BEHAVIOR ANALYSIS OF CONTROL AND DATA PLANES Basil AsSadhan *1 and José M.
More informationConclusions and Future Directions
Chapter 9 This chapter summarizes the thesis with discussion of (a) the findings and the contributions to the state-of-the-art in the disciplines covered by this work, and (b) future work, those directions
More informationAUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS
AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS Nita V. Jaiswal* Prof. D. M. Dakhne** Abstract: Current network monitoring systems rely strongly on signature-based and supervised-learning-based
More informationOn the Use of Traffic Monitoring and Measurements for Improving Networking
On the Use of Traffic Monitoring and Measurements for Improving Networking Sílvia Farraposo 1, Philippe Owezarski 2, Edmundo Monteiro 3 1 Escola Superior de Tecnologia e Gestão de Leiria, Morro do Lena
More informationEmpirical Analysis and Statistical Modeling of Attack Processes based on Honeypots
Empirical Analysis and Statistical Modeling of Attack Processes based on Honeypots M. Kaâniche 1, E. Alata 1, V. Nicomette 1, Y. Deswarte 1, M. Dacier 2 1 LAAS-CNRS, Université de Toulouse 7 Avenue du
More informationA Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks
Technical Report, June 2008 A Hybrid Approach to Efficient Detection of Distributed Denial-of-Service Attacks Christos Papadopoulos Department of Computer Science Colorado State University 1873 Campus
More informationDistributed Denial of Service (DDoS)
Distributed Denial of Service (DDoS) Defending against Flooding-Based DDoS Attacks: A Tutorial Rocky K. C. Chang Presented by Adwait Belsare (adwait@wpi.edu) Suvesh Pratapa (suveshp@wpi.edu) Modified by
More informationAdaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow. Feedback
Adaptive Discriminating Detection for DDoS Attacks from Flash Crowds Using Flow Correlation Coeff icient with Collective Feedback N.V.Poorrnima 1, K.ChandraPrabha 2, B.G.Geetha 3 Department of Computer
More informationExample: Credit card default, we may be more interested in predicting the probabilty of a default than classifying individuals as default or not.
Statistical Learning: Chapter 4 Classification 4.1 Introduction Supervised learning with a categorical (Qualitative) response Notation: - Feature vector X, - qualitative response Y, taking values in C
More informationDetecting Hidden Anomalies in DNS Communication
Detecting Hidden Anomalies in DNS Communication Ondrej Mikle, Karel Slaný, Ján Veselý, Tomáš Janoušek and Ondřej Surý CZ.NIC Americka 23, 2 Prague, Czech Republic ondrej.mikle@nic.cz, karel.slany@nic.cz,
More informationNetwork TrafficBehaviorAnalysisby Decomposition into Control and Data Planes
Network TrafficBehaviorAnalysisby Decomposition into Control and Data Planes Basil AsSadhan, Hyong Kim, José M. F. Moura, Xiaohui Wang Carnegie Mellon University Electrical and Computer Engineering Department
More informationNetwork Anomaly Detection through Traffic Measurement
Network Anomaly Detection through Traffic Measurement Yuming Jiang, Zhihua Jin, Atef Abdelkefi, Magnus Ask, Helge Skrautvol Abstract With the growth of the Internet, an increase in network anomalies is
More informationNetwork Monitoring Using Traffic Dispersion Graphs (TDGs)
Network Monitoring Using Traffic Dispersion Graphs (TDGs) Marios Iliofotou Joint work with: Prashanth Pappu (Cisco), Michalis Faloutsos (UCR), M. Mitzenmacher (Harvard), Sumeet Singh(Cisco) and George
More informationDetecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad
Detecting Constant Low-Frequency Appilication Layer Ddos Attacks Using Collaborative Algorithms B. Aravind, (M.Tech) CSE Dept, CMRTC, Hyderabad M. Lakshmi Narayana, M.Tech CSE Dept, CMRTC, Hyderabad Abstract:
More informationCharacteristics of Network Traffic Flow Anomalies
Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka I. INTRODUCTION One of the primary tasks of network administrators is monitoring routers and switches for anomalous traffic
More informationHow To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme
Efficient Detection for DOS Attacks by Multivariate Correlation Analysis and Trace Back Method for Prevention Thivya. T 1, Karthika.M 2 Student, Department of computer science and engineering, Dhanalakshmi
More informationCISCO IOS NETFLOW AND SECURITY
CISCO IOS NETFLOW AND SECURITY INTERNET TECHNOLOGIES DIVISION FEBRUARY 2005 1 Cisco IOS NetFlow NetFlow is a standard for acquiring IP network and operational data Benefits Understand the impact of network
More informationA TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS
ICTACT JOURNAL ON COMMUNICATION TECHNOLOGY, JUNE 2010, ISSUE: 02 A TWO LEVEL ARCHITECTURE USING CONSENSUS METHOD FOR GLOBAL DECISION MAKING AGAINST DDoS ATTACKS S.Seetha 1 and P.Raviraj 2 Department of
More informationAn Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks
2011 International Conference on Network and Electronics Engineering IPCSIT vol.11 (2011) (2011) IACSIT Press, Singapore An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks Reyhaneh
More informationDenial of Service attacks: analysis and countermeasures. Marek Ostaszewski
Denial of Service attacks: analysis and countermeasures Marek Ostaszewski DoS - Introduction Denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended
More informationModeling Heterogeneous Network Traffic in Wavelet Domain
634 IEEE/ACM TRANSACTIONS ON NETWORKING, VOL. 9, NO. 5, OCTOBER 2001 Modeling Heterogeneous Network Traffic in Wavelet Domain Sheng Ma, Member, IEEE, Chuanyi Ji Abstract Heterogeneous network traffic possesses
More informationKNOM Tutorial 2003. Internet Traffic Measurement and Analysis. Sue Bok Moon Dept. of Computer Science
KNOM Tutorial 2003 Internet Traffic Measurement and Analysis Sue Bok Moon Dept. of Computer Science Overview Definition of Traffic Matrix 4Traffic demand, delay, loss Applications of Traffic Matrix 4Engineering,
More informationIncreasing Reliability in Network Traffic Anomaly Detection
Increasing Reliability in Network Traffic Anomaly Detection Romain Thibault Fontugne DOCTOR OF PHILOSOPHY Department of Informatics, School of Multidisciplinary Sciences, The Graduate University for Advanced
More informationCalculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection
Calculation Algorithm for Network Flow Parameters Entropy in Anomaly Detection Theory, practice, applications Oleg Gudkov, BMSTU IT Security for the Next Generation International Round, Delft University
More informationA Taxonomy of Anomalies in Backbone Network T r a f fi c
A Taxonomy of Anomalies in Backbone Network T r a f fi c Johan Mazel NII/JFLI johanmazel@nii.ac.jp Romain Fontugne NII/JFLI romain@nii.ac.jp Kensuke Fukuda NII kensuke@nii.ac.jp Abstract The potential
More informationNetwork Based Intrusion Detection Using Honey pot Deception
Network Based Intrusion Detection Using Honey pot Deception Dr.K.V.Kulhalli, S.R.Khot Department of Electronics and Communication Engineering D.Y.Patil College of Engg.& technology, Kolhapur,Maharashtra,India.
More informationSteps Towards Autonomous Network Security: Unsupervised Detection of Network Attacks
Steps Towards Autonomous Network Security: Unsupervised Detection of Network Attacks Pedro Casas,2, Johan Mazel,2, and Philippe Owezarski,2 CNRS; LAAS; 7 avenue du colonel Roche, F-377 Toulouse, France
More informationINTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY
INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY A PATH FOR HORIZING YOUR INNOVATIVE WORK AUTONOMOUS NETWORK SECURITY FOR UNSUPERVISED DETECTION OF NETWORK ATTACKS MS. PRITI
More informationIndex Terms: DDOS, Flash Crowds, Flow Correlation Coefficient, Packet Arrival Patterns, Information Distance, Probability Metrics.
Volume 3, Issue 6, June 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Techniques to Differentiate
More informationStatistical Prediction Models for Network Traffic Performance
Statistical Prediction Models for Network Traffic Performance Kejia Hu, Alex Sim Scientific Data Management Research Group Computational Research Division Lawrence Berkeley National Laboratory AND Demetris
More informationRadware s Attack Mitigation Solution On-line Business Protection
Radware s Attack Mitigation Solution On-line Business Protection Table of Contents Attack Mitigation Layers of Defense... 3 Network-Based DDoS Protections... 3 Application Based DoS/DDoS Protection...
More informationDistinguishing between FE and DDoS using Randomness Check
Distinguishing between FE and DDoS using Randomness Check Hyundo Park, Peng Li, Debin Gao, Heejo Lee and Robert Deng Presented by Hyundo Park Korea University Singapore Management University Index Introduction
More informationBridging the gap between COTS tool alerting and raw data analysis
Article Bridging the gap between COTS tool alerting and raw data analysis An article on how the use of metadata in cybersecurity solutions raises the situational awareness of network activity, leading
More informationWHITE PAPER. FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems
WHITE PAPER FortiGate DoS Protection Block Malicious Traffic Before It Affects Critical Applications and Systems Abstract: Denial of Service (DoS) attacks have been a part of the internet landscape for
More informationDefending Against Traffic Analysis Attacks with Link Padding for Bursty Traffics
Proceedings of the 4 IEEE United States Military Academy, West Point, NY - June Defending Against Traffic Analysis Attacks with Link Padding for Bursty Traffics Wei Yan, Student Member, IEEE, and Edwin
More informationFlow-based Worm Detection using Correlated Honeypot Logs
Flow-based Worm Detection using Correlated Honeypot Logs Falko Dressler, Wolfgang Jaegers, and Reinhard German Computer Networks and Communication Systems, University of Erlangen, Martensstr. 3, 91058
More informationMonitoring of Internet traffic and applications
Monitoring of Internet traffic and applications Chadi BARAKAT INRIA Sophia Antipolis, France Planète research group ETH Zurich October 2009 Email: Chadi.Barakat@sophia.inria.fr WEB: http://www.inria.fr/planete/chadi
More informationIP Forwarding Anomalies and Improving their Detection using Multiple Data Sources
IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources Matthew Roughan (Univ. of Adelaide) Tim Griffin (Intel Research Labs) Z. Morley Mao (Univ. of Michigan) Albert Greenberg,
More informationSNMP Simple Network Measurements Please!
SNMP Simple Network Measurements Please! Matthew Roughan (+many others) 1 Outline Part I: SNMP traffic data Simple Network Management Protocol Why? How? What? Part II: Wavelets
More informationIntroduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.
Contents Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined. Technical OverView... Error! Bookmark not defined. Network Intrusion Detection
More informationDetection of Distributed Denial of Service Attack with Hadoop on Live Network
Detection of Distributed Denial of Service Attack with Hadoop on Live Network Suchita Korad 1, Shubhada Kadam 2, Prajakta Deore 3, Madhuri Jadhav 4, Prof.Rahul Patil 5 Students, Dept. of Computer, PCCOE,
More informationManaging Incompleteness, Complexity and Scale in Big Data
Managing Incompleteness, Complexity and Scale in Big Data Nick Duffield Electrical and Computer Engineering Texas A&M University http://nickduffield.net/work Three Challenges for Big Data Complexity Problem:
More informationWorm Traffic Analysis and Characterization
This full text paper was peer reviewed at the direction of IEEE Communications Society subject matter experts for publication in the ICC 7 proceedings. Worm Traffic Analysis and Characterization Alberto
More informationChapter 4. VoIP Metric based Traffic Engineering to Support the Service Quality over the Internet (Inter-domain IP network)
Chapter 4 VoIP Metric based Traffic Engineering to Support the Service Quality over the Internet (Inter-domain IP network) 4.1 Introduction Traffic Engineering can be defined as a task of mapping traffic
More informationRadware s Behavioral Server Cracking Protection
Radware s Behavioral Server Cracking Protection A DefensePro Whitepaper By Renaud Bidou Senior Security Specialist,Radware October 2007 www.radware.com Page - 2 - Table of Contents Abstract...3 Information
More informationStatistics in Retail Finance. Chapter 7: Fraud Detection in Retail Credit
Statistics in Retail Finance Chapter 7: Fraud Detection in Retail Credit 1 Overview > Detection of fraud remains an important issue in retail credit. Methods similar to scorecard development may be employed,
More informationINTRUSION PREVENTION AND EXPERT SYSTEMS
INTRUSION PREVENTION AND EXPERT SYSTEMS By Avi Chesla avic@v-secure.com Introduction Over the past few years, the market has developed new expectations from the security industry, especially from the intrusion
More informationRID-DoS: Real-time Inter-network Defense Against Denial of Service Attacks. Kathleen M. Moriarty. MIT Lincoln Laboratory.
: Real-time Inter-network Defense Against Denial of Service Attacks Kathleen M. Moriarty 22 October 2002 This work was sponsored by the Air Force Contract number F19628-00-C-002. Opinions, interpretations,
More informationProbability and Statistics Prof. Dr. Somesh Kumar Department of Mathematics Indian Institute of Technology, Kharagpur
Probability and Statistics Prof. Dr. Somesh Kumar Department of Mathematics Indian Institute of Technology, Kharagpur Module No. #01 Lecture No. #15 Special Distributions-VI Today, I am going to introduce
More informationAnomaly detection. Problem motivation. Machine Learning
Anomaly detection Problem motivation Machine Learning Anomaly detection example Aircraft engine features: = heat generated = vibration intensity Dataset: New engine: (vibration) (heat) Density estimation
More informationKeywords Attack model, DDoS, Host Scan, Port Scan
Volume 4, Issue 6, June 2014 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com DDOS Detection
More informationAnalysis of Network Packets. C DAC Bangalore Electronics City
Analysis of Network Packets C DAC Bangalore Electronics City Agenda TCP/IP Protocol Security concerns related to Protocols Packet Analysis Signature based Analysis Anomaly based Analysis Traffic Analysis
More informationNetwork Traffic Modeling and Prediction with ARIMA/GARCH
Network Traffic Modeling and Prediction with ARIMA/GARCH Bo Zhou, Dan He, Zhili Sun and Wee Hock Ng Centre for Communication System Research University of Surrey Guildford, Surrey United Kingdom +44(0)
More informationHow To Calculate The Power Of A Cluster In Erlang (Orchestra)
Network Traffic Distribution Derek McAvoy Wireless Technology Strategy Architect March 5, 21 Data Growth is Exponential 2.5 x 18 98% 2 95% Traffic 1.5 1 9% 75% 5%.5 Data Traffic Feb 29 25% 1% 5% 2% 5 1
More informationIP Network Monitoring and Measurements: Techniques and Experiences
IP Network Monitoring and Measurements: Techniques and Experiences Philippe Owezarski LAAS-CNRS Toulouse, France Owe@laas.fr 1 Outline 4 Introduction 4 Monitoring problematic 8Only based on network administration
More informationUNIT I: RANDOM VARIABLES PART- A -TWO MARKS
UNIT I: RANDOM VARIABLES PART- A -TWO MARKS 1. Given the probability density function of a continuous random variable X as follows f(x) = 6x (1-x) 0
More informationAdaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks
Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks Yan Hu Dept. of Information Engineering Chinese University of Hong Kong Email: yhu@ie.cuhk.edu.hk D. M. Chiu
More informationTutorial on Markov Chain Monte Carlo
Tutorial on Markov Chain Monte Carlo Kenneth M. Hanson Los Alamos National Laboratory Presented at the 29 th International Workshop on Bayesian Inference and Maximum Entropy Methods in Science and Technology,
More information3. Dataset size reduction. 4. BGP-4 patterns. Detection of inter-domain routing problems using BGP-4 protocol patterns P.A.
Newsletter Inter-domain QoS, Issue 8, March 2004 Online monthly journal of INTERMON consortia Dynamic information concerning research, standardisation and practical issues of inter-domain QoS --------------------------------------------------------------------
More informationJava Modules for Time Series Analysis
Java Modules for Time Series Analysis Agenda Clustering Non-normal distributions Multifactor modeling Implied ratings Time series prediction 1. Clustering + Cluster 1 Synthetic Clustering + Time series
More informationMining Anomalies in Network-Wide Flow Data. Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot
Mining Anomalies in Network-Wide Flow Data Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot SANOG-7, Mumbai, January, 00 Network Anomaly Diagnosis Am I being attacked? Is someone scanning
More informationStatistical Machine Learning
Statistical Machine Learning UoC Stats 37700, Winter quarter Lecture 4: classical linear and quadratic discriminants. 1 / 25 Linear separation For two classes in R d : simple idea: separate the classes
More informationMonitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation
Monitoring the Dynamics of Network Traffic by Recursive Multi-dimensional Aggregation Midori Kato Keio University katoon@sfc.wide.ad.jp Kenjiro Cho IIJ/Keio University kjc@iijlab.net Michio Honda NEC Europe
More informationThe Cyber Threat Profiler
Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are
More informationBitmap Algorithms for Counting Active Flows on High Speed Links. Elisa Jasinska jasinska@informatik.hu-berlin.de
Bitmap Algorithms for Counting Active Flows on High Speed Links Elisa Jasinska jasinska@informatik.hu-berlin.de Seminar: Internet Measurement Technische Universität Berlin - Deutsche Telekom Laboratories
More informationNetwork-based Modeling of Assets and Malicious Actors
Network-based Modeling of Assets and Malicious Actors Christopher Kruegel Computer Security Group MURI Meeting Santa Barbara, August 23-24, 2010 Motivation Thrust I: Obtaining an up-to-date view of the
More informationdegrees of freedom and are able to adapt to the task they are supposed to do [Gupta].
1.3 Neural Networks 19 Neural Networks are large structured systems of equations. These systems have many degrees of freedom and are able to adapt to the task they are supposed to do [Gupta]. Two very
More informationCCNY. BME I5100: Biomedical Signal Processing. Linear Discrimination. Lucas C. Parra Biomedical Engineering Department City College of New York
BME I5100: Biomedical Signal Processing Linear Discrimination Lucas C. Parra Biomedical Engineering Department CCNY 1 Schedule Week 1: Introduction Linear, stationary, normal - the stuff biology is not
More informationEn vue de l'obtention du
THÈSE En vue de l'obtention du DOCTORAT DE L UNIVERSITÉ DE TOULOUSE Délivré par L Université Toulouse III - Paul Sabatier Discipline ou spécialité : Informatique Présentée et soutenue par Sílvia dos Santos
More informationInstitute of Actuaries of India Subject CT3 Probability and Mathematical Statistics
Institute of Actuaries of India Subject CT3 Probability and Mathematical Statistics For 2015 Examinations Aim The aim of the Probability and Mathematical Statistics subject is to provide a grounding in
More informationSource-domain DDoS Prevention
bhattacharjee, LTS S 05 Page: 0 Source-domain DDoS Prevention Bobby Bhattacharjee Christopher Kommareddy Mark Shayman Dave Levin Richard La Vahid Tabatabaee University of Maryland bhattacharjee, LTS S
More informationNetwork Security. Chapter 9. Attack prevention, detection and response. Attack Prevention. Part I: Attack Prevention
Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle Part I: Attack Prevention Network Security Chapter 9 Attack prevention, detection and response Part Part I:
More informationKEITH LEHNERT AND ERIC FRIEDRICH
MACHINE LEARNING CLASSIFICATION OF MALICIOUS NETWORK TRAFFIC KEITH LEHNERT AND ERIC FRIEDRICH 1. Introduction 1.1. Intrusion Detection Systems. In our society, information systems are everywhere. They
More informationHashdoop: A MapReduce Framework for Network Anomaly Detection
Hashdoop: A MapReduce Framework for Network Anomaly Detection Romain Fontugne, Johan Mazel, Kensuke Fukuda National Institute of Informatics Japanese - French Laboratory for Informatics Tokyo, Japan Abstract
More informationPerformance Evaluation of Intrusion Detection Systems
Performance Evaluation of Intrusion Detection Systems Waleed Farag & Sanwar Ali Department of Computer Science at Indiana University of Pennsylvania ABIT 2006 Outline Introduction: Intrusion Detection
More informationSTATISTICA Formula Guide: Logistic Regression. Table of Contents
: Table of Contents... 1 Overview of Model... 1 Dispersion... 2 Parameterization... 3 Sigma-Restricted Model... 3 Overparameterized Model... 4 Reference Coding... 4 Model Summary (Summary Tab)... 5 Summary
More informationTaxonomy of Intrusion Detection System
Taxonomy of Intrusion Detection System Monika Sharma, Sumit Sharma Abstract During the past years, security of computer networks has become main stream in most of everyone's lives. Nowadays as the use
More informationFlash Crowds & Denial of Service Attacks
Flash Crowds & Denial of Service Attacks Characterization and Implications for CDNs and Web sites Jaeyeon Jung MIT Laboratory for Computer Science Balachander Krishnamurthy and Michael Rabinovich AT&T
More informationSecure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions
Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions Gigi Joseph, Computer Division,BARC. Gigi@barc.gov.in Intranet Security Components Network Admission Control (NAC)
More informationCASCADAS Imperial College. Work part of WP4 related to Autonomic Infrastructure Protection
CASCADAS Imperial College Work part of WP4 related to Autonomic Infrastructure Protection Erol Gelenbe, Georgios Loukas Gulay Oke Intelligent Systems and Networks Group Imperial College London Earlier
More informationFuzzy Network Profiling for Intrusion Detection
Fuzzy Network Profiling for Intrusion Detection John E. Dickerson (jedicker@iastate.edu) and Julie A. Dickerson (julied@iastate.edu) Electrical and Computer Engineering Department Iowa State University
More informationKnowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic
Knowledge Based System for Detection and Prevention of DDoS Attacks using Fuzzy logic Amit Khajuria 1, Roshan Srivastava 2 1 M. Tech Scholar, Computer Science Engineering, Lovely Professional University,
More information