An Evaluation of Effect of Packet Sampling on Anomaly Detection - - PowerPoint PPT Presentation

“An Evaluation of Effect of Packet Sampling on Anomaly Detection Method”

Takuya Motodate

April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka

1

2010年4月25日日曜日

• Anomaly Detection: Signature-based,Statistical one
• Statistical anomaly detection assumes

a full-captured dump.

• Traffic of backbone network become broader,

so, characteristics of it is grasped with sampled traffic.

• We have to use sampled-traffic

as input of anomaly detection. What should we do?

Background

2

2010年4月25日日曜日

Problem Statement

• 1. Suitable Packet-Sampling Method is not

Known.

• 2. Suitable Anomaly Detection Method is not

Known. Because of inadequate evaluations.

3

2010年4月25日日曜日

Purpose

• Evaluate an effect to result of anomaly detection

methods with various sampling methods and common traffic data.

• Sketch and Non Gaussian Multi-Resolution

Statistical Detection Procedures as a Anomaly Detection Method.

• 5 Packet-Sampling Methods.
• MAWI Dataset as Traffic Data.

4

2010年4月25日日曜日

Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures

[Dewaele et al. 07]

1.Divide a traffic into some subtraffics.

• 2. Estimate α and β of each subtraffic, each timescale.
• 3. Anomalous subtraffic has deviate α or β.

5

2010年4月25日日曜日

Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures

[Dewaele et al. 07]

(1)Hashing: Key is SrcIPAddr

1.Divide a traffic into some subtraffics.

• 2. Estimate α and β of each subtraffic, each timescale.
• 3. Anomalous subtraffic has deviate α or β.

5

2010年4月25日日曜日

Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures

[Dewaele et al. 07]

(1)Hashing: Key is SrcIPAddr (2) Making Histgram, and

20ms 5ms 80ms 1.Divide a traffic into some subtraffics.

• 2. Estimate α and β of each subtraffic, each timescale.
• 3. Anomalous subtraffic has deviate α or β.

5

2010年4月25日日曜日

Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures

[Dewaele et al. 07]

(1)Hashing: Key is SrcIPAddr (2) Making Histgram, and

20ms 5ms 80ms 5ms 20ms 80ms

Estimating Parameters

• f Gamma Distribution

1.Divide a traffic into some subtraffics.

• 2. Estimate α and β of each subtraffic, each timescale.
• 3. Anomalous subtraffic has deviate α or β.

5

2010年4月25日日曜日

Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures

[Dewaele et al. 07]

(1)Hashing: Key is SrcIPAddr (2) Making Histgram, and

20ms 5ms 80ms 5ms 20ms 80ms

Estimating Parameters

• f Gamma Distribution

anomaly

(3)Detecting Anomalies

1.Divide a traffic into some subtraffics.

• 2. Estimate α and β of each subtraffic, each timescale.
• 3. Anomalous subtraffic has deviate α or β.

5

2010年4月25日日曜日

Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures

[Dewaele et al. 07]

(1)Hashing: Key is SrcIPAddr (2) Making Histgram, and

20ms 5ms 80ms 5ms 20ms 80ms

Estimating Parameters

• f Gamma Distribution

anomaly

(3)Detecting Anomalies

1.Divide a traffic into some subtraffics.

• 2. Estimate α and β of each subtraffic, each timescale.
• 3. Anomalous subtraffic has deviate α or β.

5

2010年4月25日日曜日

Packet-Sampling Methodologies

Systematic Stratified Random Simple Random Packet-based

Packet-based Systematic Packet-based Stratified Random

Simple Random Time-based

Time-based Systematic Time-based Stratified Random

Random Packet-based : Picking up a packet per N packets Time-based : Picking up a packet per M msec

[Claffy et al. 93]

• A. Systematic Sampling
• B. Stratied Random Sampling
• C. Simple Random Sampling

Bucket: Packet-based: ex. 100 packets Time-based: ex. 1 msec Packet

6

2010年4月25日日曜日

Overview of Evaluation

MAWI Traffic Data

Anomaly Detection

Packet Sampling

Anomaly Detection Result Result

Compare

7

2010年4月25日日曜日

Evaluation

• I apply this evaluation to MAWI Traffic Data

at 4days. - A Wednesday in December from 2004 to 2007, sample-Point B or F.

Dec 15, 2004 Dec 14, 2005 Dec 13, 2006 Dec 12, 2007

8

2010年4月25日日曜日

Numbers of Detected Hosts with each Sampling-Rate

Brief Observation:

• 1. Detected hosts decreased as sampling-rate decreased.
• 2. Rapid increase is observed 2004 with time-based sampling.

9

2010年4月25日日曜日

Parameter Tuning

Trying to make target hosts fixed. Target Hosts Target Hosts after Parameter Tuning

10

2010年4月25日日曜日

Numbers of Detected Hosts with each Sampling-Rate after normalization

Brief Observation:

• 1. Different behavior between packet-based and time-based in

high sampling-rate

• 2. Rapid Increase number of Simple-Random in low sampling-

rate.

11

2010年4月25日日曜日

Undergoing Things

• Analysis a reason rapid increase of

anomalies with simple-random in low sampling-rate, and difference between result with time-based and packet-based.

• Cross-Validation: with Port-based

Categorization.

• Comparison with another Anomaly

Detection Method.

12

2010年4月25日日曜日

Summary

• Necessary for an evaluation in using

anomaly detection with sampled-traffic.

• Evaluating a “Sketch and Non Gaussian

Multi-Resolution” with 5 sampling methods.

• Performance Difference between Time-

based and Packet-based sampling, simple- random sampling.

13

2010年4月25日日曜日

Fin. Thank you for Listening.

14

2010年4月25日日曜日

Distribution of a number of arrival packets

200 400 600 800 1000 1200 100 200 300 400 500 600 700 800 900 Arrival Packets(pkt) Time(sec) Original Packet-based Sampling Time-based Sampling

Pakcet-based Systematic : 1/4 pkt/pkt Time-based Systematic: 1/4.4 pkt/pkt

2004/12/15(Wed) 14:00-14:15 Original Packet-based Time-based

15

2010年4月25日日曜日