Premium
Detection accuracy of network anomalies using sampled flow statistics
Author(s) -
Kawahara Ryoichi,
Ishibashi Keisuke,
Mori Tatsuya,
Kamiyama Noriaki,
Harada Shigeaki,
Hasegawa Haruhisa,
Asano Shoichiro
Publication year - 2011
Publication title -
international journal of network management
Language(s) - English
Resource type - Book series
SCImago Journal Rank - 0.373
H-Index - 28
eISSN - 1099-1190
pISSN - 1055-7148
ISBN - 978-1-4244-1043-9
DOI - 10.1002/nem.777
Subject(s) - computer science , sampling (signal processing) , network packet , data mining , traffic volume , volume (thermodynamics) , flooding (psychology) , real time computing , statistics , computer network , mathematics , telecommunications , detector , psychology , physics , quantum mechanics , transport engineering , engineering , psychotherapist
SUMMARY We investigated the detection accuracy of network anomalies when using flow statistics obtained through packet sampling. Through a case study based on measurement data, we showed that network anomalies generating a large number of small flows, such as network scans or SYN flooding, become difficult to detect during packet sampling. We then developed an analytical model that enables us to quantitatively evaluate the effect of packet sampling and traffic conditions, such as anomalous traffic volume, on detection accuracy. We also investigated how the detection accuracy worsens when the packet sampling rate decreases. In addition, we show that, even with a low sampling rate, spatially partitioning monitored traffic into groups makes it possible to increase detection accuracy. We also developed a method of determining an appropriate number of partitioned groups, and we show its effectiveness. Copyright © 2011 John Wiley & Sons, Ltd.