an evaluation of effect of packet sampling on anomaly
play

An Evaluation of Effect of Packet Sampling on Anomaly Detection - PowerPoint PPT Presentation

Oct 23, 2023 •116 likes •331 views

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 4 25 Background Anomaly Detection:

  1. “An Evaluation of Effect of Packet Sampling on Anomaly Detection Method” Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 年 4 月 25 日日曜日

  2. Background • Anomaly Detection: Signature-based,Statistical one • Statistical anomaly detection assumes a full-captured dump. • Traffic of backbone network become broader, so, characteristics of it is grasped with sampled traffic. • We have to use sampled-traffic as input of anomaly detection. What should we do? 2 2010 年 4 月 25 日日曜日

  3. Problem Statement 1. Suitable Packet-Sampling Method is not Known. 2. Suitable Anomaly Detection Method is not Known. Because of inadequate evaluations. 3 2010 年 4 月 25 日日曜日

  4. Purpose • Evaluate an effect to result of anomaly detection methods with various sampling methods and common traffic data. • Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures as a Anomaly Detection Method. • 5 Packet-Sampling Methods. • MAWI Dataset as Traffic Data. 4 2010 年 4 月 25 日日曜日

  5. 1.Divide a traffic into some subtraffics. 2. Estimate α and β of each subtraffic, each timescale. 3. Anomalous subtraffic has deviate α or β. Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  6. (1)Hashing: Key is SrcIPAddr 1.Divide a traffic into some subtraffics. 2. Estimate α and β of each subtraffic, each timescale. 3. Anomalous subtraffic has deviate α or β. Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  7. (1)Hashing: Key is SrcIPAddr (2) Making Histgram, and 20ms 5ms 80ms 1.Divide a traffic into some subtraffics. 2. Estimate α and β of each subtraffic, each timescale. 3. Anomalous subtraffic has deviate α or β. Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  8. 5ms 1.Divide a traffic into some subtraffics. 3. Anomalous subtraffic has deviate α or β. (1)Hashing: Key is SrcIPAddr (2) Making Histgram, and 20ms 5ms 80ms 2. Estimate α and β of each subtraffic, each timescale. 20ms 80ms Estimating Parameters of Gamma Distribution Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  9. 80ms 5ms (3)Detecting anomaly of Gamma Distribution Estimating Parameters 2. Estimate α and β of each subtraffic, each timescale. 20ms 80ms 1.Divide a traffic into some subtraffics. 5ms 20ms (2) Making Histgram, and SrcIPAddr (1)Hashing: Key is 3. Anomalous subtraffic has deviate α or β. Anomalies Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  10. 80ms 5ms (3)Detecting anomaly of Gamma Distribution Estimating Parameters 2. Estimate α and β of each subtraffic, each timescale. 20ms 80ms 1.Divide a traffic into some subtraffics. 5ms 20ms (2) Making Histgram, and SrcIPAddr (1)Hashing: Key is 3. Anomalous subtraffic has deviate α or β. Anomalies Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  11. Packet-Sampling Methodologies [Claffy et al. 93] Stratified Simple Systematic Random Random Packet-based Packet-based Packet-based Systematic Stratified Random Simple Random Random Time-based Time-based Stratified Time-based Systematic Random Packet-based : A. Systematic Sampling Picking up a packet per N packets B. Strati  ed Random Sampling Time-based : Picking up a packet per M msec C. Simple Random Sampling Packet Bucket: Packet-based: ex. 100 packets Time-based: ex. 1 msec 6 2010 年 4 月 25 日日曜日

  12. Overview of Evaluation Anomaly Result Detection MAWI Traffic Data Compare Anomaly Packet Result Sampling Detection 7 2010 年 4 月 25 日日曜日

  13. Evaluation • I apply this evaluation to MAWI Traffic Data at 4days. - A Wednesday in December from 2004 to 2007, sample-Point B or F. Dec 15, 2004 Dec 14, 2005 Dec 13, 2006 Dec 12, 2007 8 2010 年 4 月 25 日日曜日

  14. Numbers of Detected Hosts with each Sampling-Rate Brief Observation: 1. Detected hosts decreased as sampling-rate decreased. 2. Rapid increase is observed 2004 with time-based sampling. 9 2010 年 4 月 25 日日曜日

  15. Parameter Tuning Target Hosts Target Hosts after Parameter Tuning Trying to make target hosts fixed. 10 2010 年 4 月 25 日日曜日

  16. Numbers of Detected Hosts with each Sampling-Rate after normalization Brief Observation: 1. Different behavior between packet-based and time-based in high sampling-rate 2. Rapid Increase number of Simple-Random in low sampling- rate. 11 2010 年 4 月 25 日日曜日

  17. Undergoing Things • Analysis a reason rapid increase of anomalies with simple-random in low sampling-rate, and difference between result with time-based and packet-based. • Cross-Validation: with Port-based Categorization. • Comparison with another Anomaly Detection Method. 12 2010 年 4 月 25 日日曜日

  18. Summary • Necessary for an evaluation in using anomaly detection with sampled-traffic. • Evaluating a “Sketch and Non Gaussian Multi-Resolution” with 5 sampling methods. • Performance Difference between Time- based and Packet-based sampling, simple- random sampling. 13 2010 年 4 月 25 日日曜日

  19. Fin. Thank you for Listening. 14 2010 年 4 月 25 日日曜日

  20. Distribution of a number of arrival packets 2004/12/15(Wed) 14:00-14:15 1200 Original Packet-based Sampling Time-based Sampling Original 1000 Arrival Packets(pkt) 800 Packet-based 600 Time-based 400 200 0 900 200 300 400 500 600 700 800 0 100 Time(sec) Pakcet-based Systematic : 1/4 pkt/pkt Time-based Systematic: 1/4.4 pkt/pkt 15 2010 年 4 月 25 日日曜日

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence Center for Autonomic Networking Technologies Motivation: FloCon FloCon 2005 2005 Motivation: FloCon05 participants: We dont believe in

448 views • 11 slides
Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for IP Packet Selection draft-ietf ietf- -psamp psamp-sample-tech-00.txt -sample-tech-00.txt draft- Tanja Zseby, FhG FOKUS Maurizio Molina, NEC

600 views • 12 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
1 Sampling Sampling Question to you: which samples do you select for your Important to take

1 Sampling Sampling Question to you: which samples do you select for your Important to take

Overview Sampling Effect estimation Hardy-Weinberg Equilibrium Linkage Disequilibrium Statistics and analytical issues: Haplotypes SNP and haplotype Linda Broer (l.broer@erasmusmc.nl) Genetic Laboratory Department of

538 views • 11 slides
The Effect of Sampling Effort on the Mean of Range Size Distributions Megan Ruffley Ivn Jimnez

The Effect of Sampling Effort on the Mean of Range Size Distributions Megan Ruffley Ivn Jimnez

The Effect of Sampling Effort on the Mean of Range Size Distributions Megan Ruffley Ivn Jimnez Talk Outline Introduction Working Hypothesis Methods Study System Quantification of Sampling Effort Computer Simulation

779 views • 45 slides
2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate

2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate

1 The Value of Good Sampling 2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate bias / random Detrimental effect to operations Effect on Mass Balancing (example) Combined OSA and Sampler

634 views • 26 slides
Students t -Distribution The t -Distribution, t -Tests, & Measures of Effect Size Sampling

Students t -Distribution The t -Distribution, t -Tests, & Measures of Effect Size Sampling

Students t -Distribution The t -Distribution, t -Tests, & Measures of Effect Size Sampling Distributions Redux Chapter 7 opens with a return to the concept of sampling distributions from chapter 4 Sampling distributions of the

872 views • 83 slides
Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The Graduate University for Advanced Studies Yosuke Himura The University of Tokyo Kensuke Fukuda National Institute of Informatics CNRS-Wide

443 views • 18 slides
Packet Radio Networks Packet Radio Networks are multiaccess networks in which not all nodes can

Packet Radio Networks Packet Radio Networks are multiaccess networks in which not all nodes can

Packet Radio Networks Packet Radio Networks are multiaccess networks in which not all nodes can hear the transmission of all other nodes, this feature is characteristic for radio communication We will focus on the effect of partial connectivity

882 views • 28 slides
Evaluating the Effect of Research and Innovation Policy on Small Business Start- ups: An

Evaluating the Effect of Research and Innovation Policy on Small Business Start- ups: An

Evaluating the Effect of Research and Innovation Policy on Small Business Start- ups: An Inflow-Sampling Approach* American Evaluation Association (AEA) Research Conference Anaheim, CA November 2-5, 2011 Reynold V. Galope Andrew Young School

320 views • 17 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
The effect of sampling frequency and front-end bandwidth on the DLL code tracking performance Vi

The effect of sampling frequency and front-end bandwidth on the DLL code tracking performance Vi

The effect of sampling frequency and front-end bandwidth on the DLL code tracking performance Vi Vinh T T r ran, Thuan Nguyen, Nagaraj Shivaramaiah, Andrew Dempster Contents GNSS receiver model Local code generator and residual code

500 views • 22 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Evaluation and Bias Removal of Evaluation and Bias Removal of Multi- -Look Effect on Look

Evaluation and Bias Removal of Evaluation and Bias Removal of Multi- -Look Effect on Look

POLINSAR 2009 WORKSHOP POLINSAR 2009 WORKSHOP 26-29 January 2009 ESA-ESRIN, Frascati (ROME), Italy Evaluation and Bias Removal of Evaluation and Bias Removal of Multi- -Look Effect on Look Effect on Multi /A (H/ Entropy/Alpha

351 views • 33 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Chapter 9 Section 2 MA1020 Quantitative Literacy Sidney Butler Michigan Technological University

Chapter 9 Section 2 MA1020 Quantitative Literacy Sidney Butler Michigan Technological University

Chapter 9 Section 2 MA1020 Quantitative Literacy Sidney Butler Michigan Technological University October 20, 2006 S Butler (Michigan Tech) Chapter 9 Section 2 October 20, 2006 1 / 13 Sample Survey Design Independent Sampling Systematic

490 views • 13 slides
NEW RIDER TRAINING SYSTEM IN NORWAY Bjrn A. Lund Norwegian Public Roads Administration

NEW RIDER TRAINING SYSTEM IN NORWAY Bjrn A. Lund Norwegian Public Roads Administration

NEW RIDER TRAINING SYSTEM IN NORWAY Bjrn A. Lund Norwegian Public Roads Administration International Motorcycle Safety Conference March 28 30, 2006 Long Beach, CA - USA Background New rider and driver training system from 1.

363 views • 11 slides
AFHTO Strategic Plan Meeting February 9, 2011 Welcome to all FHTs! Presenters John McDonald

AFHTO Strategic Plan Meeting February 9, 2011 Welcome to all FHTs! Presenters John McDonald

AFHTO Strategic Plan Meeting February 9, 2011 Welcome to all FHTs! Presenters John McDonald AFHTO President, and Physician Lead, PrimaCare Community FHT Sean Blaine AFHTO Membership Committee Chair, and Physician Lead, STAR FHT Keri Selkirk

465 views • 33 slides
FORMULATING THE STRATEGIC DIRECTION OF GCPL A PEOPLE-CENTERED LEARNING AND A

FORMULATING THE STRATEGIC DIRECTION OF GCPL A PEOPLE-CENTERED LEARNING AND A

FORMULATING THE STRATEGIC DIRECTION OF GCPL A PEOPLE-CENTERED LEARNING AND A HIGHLY-COLLABORATIVE + = DECISION-MAKING FOCUS COMMUNITY-CENTERED LIBRARY WHAT WE BELIEVE IN UNDERSTAN WHY WE EXIST HOW WE SEE THE FUTURE D THE

491 views • 5 slides
Data Mining II Data Preprocessing Heiko Paulheim Introduction Give me six hours to

Data Mining II Data Preprocessing Heiko Paulheim Introduction Give me six hours to

Data Mining II Data Preprocessing Heiko Paulheim Introduction Give me six hours to chop down a tree and I will spend the first four sharpening the axe. Abraham Lincoln, 1809-1865 2/18/20 Heiko Paulheim 2 Recap: The Data Mining

738 views • 57 slides
t s s

t s s

t s s tr r t s t rst

365 views • 21 slides
Semiparametric models with functional responses in a model assisted survey sampling setting e

Semiparametric models with functional responses in a model assisted survey sampling setting e

Semiparametric models with functional responses in a model assisted survey sampling setting e Cardot 1 , Alain Dessertaine 2 , and Etienne Josserand 1 Herv 1 Institut de Math ematiques de Bourgogne, UMR 5584 CNRS herve.cardot@u-bourgogne.fr,

292 views • 13 slides
Monte Carlo Tools Frank Krauss Institute for Particle Physics Phenomenology Durham University

Monte Carlo Tools Frank Krauss Institute for Particle Physics Phenomenology Durham University

Orientation MC integration Matrix elements Parton showers Hadronization Underlying Event Upshot Monte Carlo Tools Frank Krauss Institute for Particle Physics Phenomenology Durham University GGI, 24.&26.9.2007 F. Krauss IPPP Monte

877 views • 63 slides

More recommend