Mining Anomalies in Network-Wide Flow Data. Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot



Similar documents
Characterization of Network-Wide Anomalies in Traffic Flows

Detecting Network Anomalies. Anant Shah

Structural Analysis of Network Traffic Flows Eric Kolaczyk

AUTONOMOUS NETWORK SECURITY FOR DETECTION OF NETWORK ATTACKS

Monitoring sítí pomocí NetFlow dat od paketů ke strategiím

Diagnosing Network Disruptions with Network-Wide Analysis

Flow Monitoring With Cisco Routers

Joint Entropy Analysis Model for DDoS Attack Detection

Proactive Surge Protection: A Defense Mechanism for Bandwidth-Based Attacks

Keywords Attack model, DDoS, Host Scan, Port Scan

Adaptive Flow Aggregation - A New Solution for Robust Flow Monitoring under Security Attacks

A Real-time Network Traffic Profiling System

Echidna: Efficient Clustering of Hierarchical Data for Network Traffic Analysis

Design and Implementation of an Interactive DBMS-supported Network Traffic Analysis and Visualization System

}w!"#$%&'()+,-./012345<ya

Increasing Reliability in Network Traffic Anomaly Detection

Outline. The Problem BGP/Routing Information. Netflow/Traffic Information. Conclusions

Lightweight Detection of DoS Attacks

Structural Analysis of Network Traffic Flows

Time-Frequency Detection Algorithm of Network Traffic Anomalies

Design and simulation of wireless network for Anomaly detection and prevention in network traffic with various approaches

Cisco IOS Flexible NetFlow Technology

ICND2 NetFlow. Question 1. What are the benefit of using Netflow? (Choose three) A. Network, Application & User Monitoring. B.

A Review of Anomaly Detection Techniques in Network Intrusion Detection System

System Specification. Author: CMU Team

A HYBRID RULE BASED FUZZY-NEURAL EXPERT SYSTEM FOR PASSIVE NETWORK MONITORING

Service Description DDoS Mitigation Service

Network Management & Monitoring

CISCO IOS NETFLOW AND SECURITY

Anomaly Detection in Backbone Networks: Building A Security Service Upon An Innovative Tool

Conclusions and Future Directions

Netflow Overview. PacNOG 6 Nadi, Fiji

Network-Wide Capacity Planning with Route Analytics

Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation

AS THE Internet continues to grow in size and complexity,

NSC E

Evangelos Kranakis, School of Computer Science, Carleton University, Ottawa 1. Network Security. Canada France Meeting on Security, Dec 06-08

Data Mining Part 5. Prediction

Security Toolsets for ISP Defense

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

How To Detect Denial Of Service Attack On A Network With A Network Traffic Characterization Scheme

How is SUNET really used?

Signature-aware Traffic Monitoring with IPFIX 1

EE627 Lecture 22. Multihoming Route Control Devices

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

How To Manage Security On A Networked Computer System

On Entropy in Network Traffic Anomaly Detection

Effect of sampling rate and monitoring granularity on anomaly detectability

How to build a Carrier-Grade Defense-Shield. Dr. Antonio Nucci Chief Technology Officer, Narus Inc.

A Survey on Intrusion Detection System with Data Mining Techniques

Network Monitoring and Management NetFlow Overview

Reformulating the monitor placement problem: Optimal Network-wide wide Sampling

The Integration of SNORT with K-Means Clustering Algorithm to Detect New Attack

Hashdoop: A MapReduce Framework for Network Anomaly Detection

CSCE 465 Computer & Network Security

Defending against Flooding-Based Distributed Denial-of-Service Attacks: A Tutorial

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC)

Page 1. Outline EEC 274 Internet Measurements & Analysis. Traffic Measurements. Motivations. Applications

LEISURE: A Framework for Load-Balanced Network-Wide Traffic Measurement

Intrusion Detection: Game Theory, Stochastic Processes and Data Mining

CLASSIFYING NETWORK TRAFFIC IN THE BIG DATA ERA

Introduction to Netflow

TELCO challenge: Learning and managing the network behavior

IP Forwarding Anomalies and Improving their Detection using Multiple Data Sources

Integration Misuse and Anomaly Detection Techniques on Distributed Sensors

HP Intelligent Management Center v7.1 Network Traffic Analyzer Administrator Guide

SDN Programming Languages. Programming SDNs!

Case Study: Instrumenting a Network for NetFlow Security Visualization Tools

Concept and Project Objectives

DYNAMIC FUZZY PATTERN RECOGNITION WITH APPLICATIONS TO FINANCE AND ENGINEERING LARISA ANGSTENBERGER

Transcription:

Mining Anomalies in Network-Wide Flow Data Anukool Lakhina, Ph.D. with Mark Crovella and Christophe Diot SANOG-7, Mumbai, January, 00

Network Anomaly Diagnosis Am I being attacked? Is someone scanning my network? Are there worms spreading? A sudden traffic shift? An equipment outage? Something never seen before? A general, unsupervised method for reliably detecting and classifying network anomalies is needed

My Talk in One Slide A general system to detect & classify anomalies at ISPs and large enterprises Central Message: Network-wide analysis of NetFlow data can expose many anomalies Detect both operational & malicious incidents I am here to seek your feedback

x 0 OD flow i b Network-Wide Traffic Analysis 0 LA IPLS 8 x 07 x 0 7 x 0 7 Large Traffic Shifts (Operational Event) x 0 7 NYC SNVA Peak rate: 00Mbps; Attack rate ~ 9Mbps/flow LA IPLS Link c b HSTN Worm scan observable in network-wide traffic Fri Sat Sun Link d c Link f d Link i f NYC LA HSTN IPLS ATLA Distributed DOS Attack NYC

Collecting Network-Wide Traffic to Seattle from NYC Assemble network s traffic matrix to LA Traffic entering at the origin and leaving at the destination to Houston to Atlanta Use routing to aggregate NetFlow data into OD flows

Networks Evaluated Abilene research network (Internet) PoPs, OD flows, anonymized, /00 sampling, min bins Géant Europe research network (Dante) PoPs, 8 OD flows, not anonymized, /000 sampling, 0 min bins Sprint European commercial network PoPs, 9 OD flows, not anonymized, aggregated, /0 sampling, 0 min bins

But, This is Difficult to Analyze!. x 07 x 0 x 0. x 07. Traffic in OD Flow 9.. Traffic in OD Flow 8.. Traffic in OD Flow 7... Traffic in Ab. OD Flow 9. 0. 0. 0. x 0 7 x 0 x 0 x 0 8 7 7 Traffic in Ab. OD Flow 7.. Traffic in OD Flow Traffic in Ab. OD Flow 9 Traffic in OD Flow 0 00 00 00 00 00 00 700 800 900 000 x 0 x 0 x 0 8 x 0 7..... Traffic in OD Flow 7.. Traffic in OD Flow Traffic in OD Flow 8.....0 0.9 Traffic in OD Flow..8.. 0. 0.9. 0.8 0 0 00 00 00 00 00 00 700 800 900 000 How do we extract anomalies and normal behavior from noisy, high-dimensional data? 7

The Subspace Method [LCD:SIGCOMM 0] An approach to separate normal & anomalous network-wide traffic Designate temporal patterns most common to all the traffic flows as the normal patterns Remaining temporal patterns form the anomalous patterns Detect anomalies by statistical thresholds on anomalous patterns 8

An example operational anomaly Multihomed customer CALREN reroutes around outage at LOSA 9

Summary of Anomaly Types Found [LCD:IMC0] False Alarms 9 Unknown Alpha DOS Scan Flash Crowd Point Multi Worm Outage Ingress Shift Unknown FalseAlarm 7 Alpha Traffic Shift Outage Worm Point-Multipoint Flash Events DOS Scans 0

Automatically Classifying Anomalies [LCD:SIGCOMM0] Goal: Classify anomalies without restricting yourself to a predefined set of anomalies Approach: Leverage -tuple header fields: SrcIP, SrcPort, DstIP, DstPort In particular, measure dispersion in fields Then, apply off-the-shelf clustering methods

Example of Anomaly Clusters Dispersed Legend (DstIP) Code Red Scanning Single source DOS attack Multi source DOS attack (SrcIP) (SrcIP) Summary: Concentrated Correctly classified 9 of Dispersed 9 injected anomalies

Summary Network-Wide Detection: Broad range of anomalies with low false alarms In papers: Highly sensitive detection, even when anomaly is % of background traffic Anomaly Classification: Feature clusters automatically classify anomalies In papers: clusters expose new anomalies Network-wide data and header analysis are promising for general anomaly diagnosis

Next steps Ongoing Work: implementing algorithms in a prototype system For more information, see papers & slides at: http://cs-people.bu.edu/anukool/pubs.html Your feedback much needed & appreciated! Data, deployment,

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information