a signal analysis of network traffic anomalies
play

A Signal Analysis of Network Traffic Anomalies Paul Barford with - PowerPoint PPT Presentation

Sep 27, 2022 •262 likes •465 views

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin Madison Fall, 2002 Overview Motivation: Anomaly detection remains difficult Objective : Improve

  1. A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Fall, 2002

  2. Overview • Motivation: Anomaly detection remains difficult • Objective : Improve understanding of traffic anomalies • Approach : Multiresolution analysis of data set that includes IP flow, SNMP and an anomaly catalog • Method : Integrated Measurement Analysis Platform for Internet Traffic (IMAPIT) • Results : Identify anomaly characteristics using wavelets and develop new method for exposing short-lived events pb@cs.wisc.ecdu 2

  3. Our Data Sets • Consider anomalies in IP flow and SNMP data – Collected at UW border router (Juniper M10) – Archive of ~6 months worth of data (packets, bytes, flows) – Includes catalog of anomalies (after-the-fact analysis) • Group observed anomalies into four categories – Network anomalies (41) • Steep drop offs in service followed by quick return to normal behavior – Flash crowd anomalies (4) • Steep increase in service followed by slow return to normal behavior – Attack anomalies (46) • Steep increase in flows in one direction followed by quick return to normal behavior – Measurement anomalies (18) • Short-lived anomalies which are not network anomalies or attacks pb@cs.wisc.ecdu 3

  4. pb@cs.wisc.ecdu 4

  5. Multiresolution Analysis • Wavelets provide a means for describing time series data that considers both frequency and time – Powerful means for characterizing data with sharp spikes and discontinuities – Using wavelets can be quite tricky • We use tools developed at UW which together make up IMAPIT – FlowScan software – The IDR Framenet software pb@cs.wisc.ecdu 5

  6. Our Wavelet System • After evaluating different candidates we selected a wavelet system called Pseudo Splines(4,1) Type 2. – A framelet system developed by Daubechies et al. ‘00 – Very good frequency localization properties • Three output signals are extracted – Low Frequency (L) : synthesis of all wavelet coefficients from level 9 and up – Mid Frequency (M) : synthesis of wavelet coefficients 6, 7, 8 – High Frequency (H) : synthesis of wavelet coefficients 1 to 5 pb@cs.wisc.ecdu 6

  7. Ambient IP Flow Traffic One Autonomous System to Campus, Inbound, 2001-DEC-16 through 2001-DEC-23 20 M bytes, original signal Bytes/sec 15 M 10 M 5 M 0 6 M 4 M 2 M 0 -2 M bytes, high-band -4 M -6 M 4 M 2 M 0 -2 M bytes, mid-band -4 M 20 M bytes, low-band 15 M 10 M 5 M 0 Sat Sun Mon Tue Wed Thu Fri Sat Sun pb@cs.wisc.ecdu 7

  8. Ambient SNMP Traffic One Interface to Campus, Inbound, 2001-DEC-16 through 2001-DEC-23 20 M bytes, original signal Bytes/sec 15 M 10 M 5 M 0 6 M 4 M 2 M 0 -2 M bytes, high-band -4 M -6 M 4 M 2 M 0 -2 M bytes, mid-band -4 M 20 M bytes, low-band 15 M 10 M 5 M 0 Sat Sun Mon Tue Wed Thu Fri Sat Sun pb@cs.wisc.ecdu 8

  9. Byte Traffic for Flash Crowd Class-B Network, Outbound, 2001-SEP-30 through 2001-NOV-25 30 M Outbound Class-B Network Bytes, original signal 25 M Bytes/sec 20 M 15 M 10 M 5 M 0 Outbound Class-B Network Bytes, mid-band 5 M 0 -5 M -10 M 20 M Outbound Class-B Network Bytes, low-band 15 M 10 M 5 M 0 Oct-01 Oct-08 Oct-15 Oct-22 Oct-29 Nov-05 Nov-12 Nov-19 Nov-26 pb@cs.wisc.ecdu 9

  10. Average Packet Size for Flash Crowd Campus HTTP, Outbound, 2001-SEP-30 through 2001-NOV-25 1500 1000 Bytes 500 outbound HTTP average packet size signal 0 300 200 100 0 -100 outound HTTP average packet size, mid-band -200 -300 1500 1000 500 outbound HTTP average packet size, low-band 0 Oct-01 Oct-08 Oct-15 Oct-22 Oct-29 Nov-05 Nov-12 Nov-19 Nov-26 pb@cs.wisc.ecdu 10

  11. Flow Traffic During DoS Attacks Campus TCP, Inbound, 2002-FEB-03 through 2002-FEB-10 400 Flows/sec Inbound TCP Flows, original signal 300 200 100 0 200 Inbound TCP Flows, high-band 150 100 50 0 30 20 10 0 -10 Inbound TCP Flows, mid-band -20 -30 400 Inbound TCP Flows, low-band 300 200 100 0 Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 11

  12. Byte Traffic During Measurement Anomalies Campus TCP, Inbound, 2002-FEB-10 through 2002-FEB-17 30 M Inbound TCP Bytes, original signal Bytes/sec 20 M 10 M 0 8 M 6 M Inbound TCP Bytes, high-band 4 M 2 M 0 -2 M -4 M 6 M Inbound TCP Bytes, mid-band 4 M 2 M 0 -2 M 30 M Inbound TCP Bytes, low-band 20 M 10 M 0 Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 12

  13. Anomaly Detection via Deviation Score • Short-lived anomalies can be identified automatically based on variability in H and M signals 1. Compute local variability (using specified window) of H and M parts of signal 2. Combine local variability of H and M signals (using a weighted sum) and normalize by total variability to get deviation score V 3. Apply threshold to V then measure peaks • Analysis shows that V peaks over 2.0 indicate short- lived anomalies with high confidence – We threshold at V = 1.25 and set window size to 3 hours pb@cs.wisc.ecdu 13

  14. Deviation Score for Three Anomalies Campus TCP, Inbound, 2002-FEB-03 through 2002-FEB-10 50 k 2 Inbound TCP Packets Deviation Score 40 k 30 k Packets/sec Score 20 k 1.5 10 k 0 Mon Mon Tue Tue Sun Sun Wed Wed Thu Thu Fri Fri Sat Sat pb@cs.wisc.ecdu 14

  15. Deviation Score for Network Outage Inbound Outbound 30 M 2 Bytes/sec 20 M Score 10 M 1.5 0 40 k 2 30 k Pkts/sec Score 20 k 1.5 10 k 0 200 2 150 Flows/sec Score 100 1.5 50 0 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 15

  16. Anomalies in Aggregate Signals Inbound Outbound 600 k 2 500 k Bytes/sec 400 k Score 300 k 200 k 1.5 100 k 0 20 k 2 15 k Pkts/sec Score 10 k 1.5 5 k 0 200 2 150 Flows/sec Score 100 1.5 50 0 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat Inbound Outbound 30 M 2 Bytes/sec 20 M Score 10 M 1.5 0 50 k 2 40 k Pkts/sec 30 k Score 20 k 1.5 10 k 0 300 2 250 Flows/sec 200 Score 150 100 1.5 50 0 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 16

  17. Hidden Anomalies in Low Frequency Class-B Network, Outbound, 2001-NOV-25 through 2001-DEC-23 10 M 8 M Outbound Bytes, original signal Bytes/sec 6 M 4 M 2 M 0 3 M Outbound Bytes, high-band 2 M 1 M 0 -1 M -2 M 3 M Outbound Bytes, mid-band 2 M 1 M 0 -1 M -2 M -3 M 10 M 8 M Outbound Bytes, low-band 6 M 4 M 2 M 0 Nov-27 Dec-04 Dec-11 Dec-18 Dec-25 pb@cs.wisc.ecdu 17

  18. Deviation Score Evaluation • How effective is deviation score at detecting anomalies? – Compare versus set of 39 anomalies • Set is unlikely to be complete so we don’t treat false-positives – Compare versus Holt-Winters Forecasting • Time series technique • Requires some configuration • Holt-Winters reported many more positives and sometimes oscillated between values Total Candidates Candidates Candidate detected by detected by Anomalies Deviation Holt-Winters Score 39 38 37 pb@cs.wisc.ecdu 18

  19. Conclusion and Next Steps • We present an evaluation of signal characteristics of network traffic anomalies – Using IP flow and SNMP data collected at UW border router – IMAPIT developed to apply wavelet analysis to data – Deviation score developed to automate anomaly detection • Results – Characteristics of anomalies exposed using different filters and data – Deviation score appears promising as a detection method • Future – Development of anomaly classification methods – Application of results in (distributed) detection systems pb@cs.wisc.ecdu 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella,

The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella,

The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella, Christophe Diot Whats happening in my network? Is my customer being attacked? probed? infected? Is there a sudden traffic shift?

374 views • 26 slides
Traffic signal optimization and traffic assignment Traffic signals Traffic signal optimization

Traffic signal optimization and traffic assignment Traffic signals Traffic signal optimization

Dagstuhl, October 2015 Traffic Signals and User Equilibria Martin Strehler , Ekkehard K ohler BTU Cottbus-Senftenberg { martin.strehler,ekkehard.koehler } @b-tu.de Traffic signal optimization and traffic assignment Traffic signals Traffic

577 views • 55 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction Youve just invented the greatest protocol does everything including tying your shoelaces. What now? Need to know how it performs. Is it

510 views • 13 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets Network Traffic Measurement and Analysis Conference (TMA 2018) June 28, 2018 Milan Cermak et al. Institute of Computer Science, Masaryk University, Brno

575 views • 25 slides
this traffic signal will turn green? Why do I want to know when the signal turns green?

this traffic signal will turn green? Why do I want to know when the signal turns green?

How do I know, when this traffic signal will turn green? Why do I want to know when the signal turns green? 28.03.2012 Seminar in Distributed Computing Gianin Basler Introduction Traffic light countdown timer 28.03.2012 Seminar in

801 views • 49 slides
Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki,

Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki,

Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki, Mark Crovella, Christophe Diot, and Nina Taft Traditional Network What ISPs Care Traffic Analysis About Focus on Focus on Long,

1.09k views • 46 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network Security at Prague Embedded Systems Workshop (PESW 2019) June 28, 2019 Milan Cermak Institute of Computer Science, Masaryk University, Brno 2 3

440 views • 20 slides
Integration of Crowdsourced Data into Automated Traffic Signal Performance Measures (ATSPMs)

Integration of Crowdsourced Data into Automated Traffic Signal Performance Measures (ATSPMs)

Integration of Crowdsourced Data into Automated Traffic Signal Performance Measures (ATSPMs) Adventures in Crowdsourcing: Traffic Signal Applications February 27, 2020 Justin R. Effinger, P.E. Lake County PASSAGE ATMS Platform

461 views • 18 slides
Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic analysis for Bitcoin and derived Transaction clustering using network traffic blockchains analysis for Bitcoin and derived blockchains Biryukov, Tikhomirov Introduction Network privacy Alex

491 views • 30 slides
ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

641 views • 46 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

IN INTRODUCTION TO TRAFFIC ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC ANALYSIS 1. Except for user terminals, the telephone network is composed of a variety of common 45 Trunks equipment

385 views • 17 slides
Adaptive Anomaly Detection via Self-Calibration and Dynamic Updating Gabriela F. Cretu-Ciocarlie

Adaptive Anomaly Detection via Self-Calibration and Dynamic Updating Gabriela F. Cretu-Ciocarlie

Adaptive Anomaly Detection via Self-Calibration and Dynamic Updating Gabriela F. Cretu-Ciocarlie Department of Computer Science Columbia University Joint work with Angelos Stavrou, Michael E. Locasto, Salvatore J. Stolfo Motivation and

487 views • 28 slides
Vacuum structure of 2 d adjoint QCD anomaly, mod 2 index, and semiclassics Yuya Tanizaki

Vacuum structure of 2 d adjoint QCD anomaly, mod 2 index, and semiclassics Yuya Tanizaki

Vacuum structure of 2 d adjoint QCD anomaly, mod 2 index, and semiclassics Yuya Tanizaki North Carolina State University Sep, 2019 @ ICTP, Trieste Collaborators: Aleksey Cherman, Theodore Jacobson (UMN), Mithat Unsal (NCSU)

538 views • 29 slides
Metadata format for benchmarking anomaly detection algorithms Youki Kadobayashi NICT / NAIST

Metadata format for benchmarking anomaly detection algorithms Youki Kadobayashi NICT / NAIST

Metadata format for benchmarking anomaly detection algorithms Youki Kadobayashi NICT / NAIST youki-k <at> is.naist.jp 10 th CAIDA-WIDE workshop / 1 st CAIDA-WIDE-CASFI workshop August 2008 Anomaly detection algorithms:

444 views • 10 slides
A Tale of Two Anomalies: from LHCb to ANITA Speaker: Yicong Sui In collaboration with: Wolfgang

A Tale of Two Anomalies: from LHCb to ANITA Speaker: Yicong Sui In collaboration with: Wolfgang

A Tale of Two Anomalies: from LHCb to ANITA Speaker: Yicong Sui In collaboration with: Wolfgang Altmannshofer, Bhupal Dev, Amarjit Soni Introduction of B-anomaly Introduction of B-anomaly Introduction of B-anomaly Gregory Ciezarek, etl, ,

964 views • 78 slides
from System Logs through Deep Learning Min Du , Feifei Li, Guineng Zheng, Vivek Srikumar

from System Logs through Deep Learning Min Du , Feifei Li, Guineng Zheng, Vivek Srikumar

DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning Min Du , Feifei Li, Guineng Zheng, Vivek Srikumar University of Utah Background 2 Background System Event Log 3 Background System Event Log Available

1.08k views • 106 slides
StrobeLight: Lightweight Availability Mapping and Anomaly Detection James Mickens, John Douceur,

StrobeLight: Lightweight Availability Mapping and Anomaly Detection James Mickens, John Douceur,

StrobeLight: Lightweight Availability Mapping and Anomaly Detection James Mickens, John Douceur, Bill Bolosky Brian Noble At any given moment, how can we tell which enterprise machines are online and network-reachable? Mobile AJAX

603 views • 34 slides
Anomaly and gaugino mediation Supergravity mediation X is in the hidden sector, M P l

Anomaly and gaugino mediation Supergravity mediation X is in the hidden sector, M P l

Anomaly and gaugino mediation Supergravity mediation X is in the hidden sector, M P l suppressed couplings W = W hid ( X ) + W vis ( ) c i j e V i + . . . i Pl X X j j f = M 2 YM 2 + i 4 k

574 views • 29 slides
Anomalies, Chern-Simons Terms, and Black Hole Entropy ! Tatsuo Azeyanagi (ENS) ! ! Based on

Anomalies, Chern-Simons Terms, and Black Hole Entropy ! Tatsuo Azeyanagi (ENS) ! ! Based on

Anomalies, Chern-Simons Terms, and Black Hole Entropy ! Tatsuo Azeyanagi (ENS) ! ! Based on arXiv:1311.2940, 1407.6364 and to appear ! with R. Loganayagam (IAS), G.S. Ng (McGill), M.J. Rodriguez (Harvard) ! Workshop Holographic Methods for

464 views • 33 slides

More recommend