Skip to main content
SpringerLink
Log in
Book cover

International Conference on Security and Privacy in Communication Systems

SecureComm 2009: Security and Privacy in Communication Networks pp 91–100Cite as

Automated Classification of Network Traffic Anomalies

  • Conference paper

Abstract

Network traffic anomalies detection and characterization has been a hot topic of research for many years. Although the field is very advanced in the detection of network traffic anomalies, accurate automated classification is still a very challenging and unmet problem. This paper presents a new algorithm for automated classification of network traffic anomalies. The algorithm relies on three steps: (i) after an anomaly has been detected, identify all (or most) related packets or flow records; (ii) use these packets or flow records to derive several distinct metrics directly related to the anomaly; and (iii) classify the anomaly using these metrics in a signature-based approach. We show how this approach can act as a filter to reduce the false positive rate of detection algorithms, while providing network operators with (additional) valuable information about detected anomalies. We validate our algorithm on two different datasets: the METROSEC project database and the MAWI traffic repository.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Barford, P., Kline, J., Plonka, D., Ron, A.: A signal analysis of network traffic anomalies. In: Internet Measurment Workshop, Marseille (November 2002)

    Google Scholar 

  2. Cho, K., Mitsuya, K., Kato, A.: Traffic data repository at the wide project. In: USENIX ATEC, San Diego, California (2000)

    Google Scholar 

  3. Cormode, G., Muthukrishnan, S.: What’s new: finding significant differences in network data streams. IEEE/ACM Trans. Netw. 13(6), 1219–1232 (2005)

    Article  Google Scholar 

  4. Dewaele, G., Fukuda, K., Borgnat, P., Abry, P., Cho, K.: Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. In: Workshop on Large-Scale Attack Defense (LSAD), Kyoto, Japan (2007)

    Google Scholar 

  5. Estan, C., Savage, S., Varghese, G.: Automatically inferring patterns of resource consumption in network traffic. In: ACM SIGCOMM, Karlsruhe (2003)

    Google Scholar 

  6. Farraposo, S., Owezarski, P., Monteiro, E.: A multi-scale tomographic algorithm for detecting and classifying traffic anomalies. In: IEEE ICC, Glasgow (June 2007)

    Google Scholar 

  7. Fernandes, G., Owezarski, P.: Automated classification of network traffic anomalies. LAAS Report No 08468 (2008)

    Google Scholar 

  8. Hussain, A., Heidemann, J., Papadopoulos, C.: A framework for classifying denial of service attacks. In: ACM SIGCOMM, Karlsruhe (2003)

    Google Scholar 

  9. Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites. In: WWW, Honolulu, Hawaii (May 2002)

    Google Scholar 

  10. Kim, M.-S., Kong, H.-J., Hong, S.-C., Chung, S.-H., Hong, J.: A flow-based method for abnormal network traffic detection. In: IEEE/IFIP Network Operations and Management Symposium, Seoul (April 2004)

    Google Scholar 

  11. Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomalies in traffic flows. In: Internet Measurement Conference, Taormina, Italy (2004)

    Google Scholar 

  12. Lakhina, A., Crovella, M., Diot, C.: Mining anomalies using traffic feature distributions. In: ACM SIGCOMM, Philadelphia (2005)

    Google Scholar 

  13. Li, X., Bian, F., Crovella, M., Diot, C., Govindan, R., Iannaccone, G., Lakhina, A.: Detection and identification of network anomalies using sketch subspaces. In: Internet Measurement Conference, Rio de Janeiro, Brazil (2006)

    Google Scholar 

  14. Mirkovic, J., Reiher, P.: A taxonomy of ddos attack and ddos defense mechanisms. SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)

    Article  Google Scholar 

  15. Moore, D., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. In: USENIX SSYM, Washington, DC (2001)

    Google Scholar 

  16. Owezarski, P.: On the impact of dos attacks on internet traffic characteristics and qos. In: ICCCN (October 2005)

    Google Scholar 

  17. Scherrer, A., Larrieu, N., Owezarski, P., Borgnat, P., Abry, P.: Non-gaussian and long memory statistical characterizations for internet traffic with anomalies. IEEE Trans. Dependable Secur. Comput. 4(1), 56–70 (2007)

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. LAAS - CNRS, Université de Toulouse, 7 Avenue du Colonel Roche, 31077, Toulouse, France

    Guilherme Fernandes & Philippe Owezarski

Authors
  1. Guilherme Fernandes
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Philippe Owezarski
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department of Electrical Engineering and Computer Science, Robert R. McCormick School of Engineering and Application Science, Northwestern University, 2145 Sheridian Road, 60208-3118, Evanston, IL, USA

    Yan Chen

  2. Athens Information Technology, Markopoulo Ave., GR-19002, Peania, Greece

    Tassos D. Dimitriou

  3. Institute for Infocomm Research, 1 Fusionopolis Way, 21-01 Connexis, South Tower, 138632, Singapore

    Jianying Zhou

Rights and permissions

Reprints and permissions

Copyright information

© 2009 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Fernandes, G., Owezarski, P. (2009). Automated Classification of Network Traffic Anomalies. In: Chen, Y., Dimitriou, T.D., Zhou, J. (eds) Security and Privacy in Communication Networks. SecureComm 2009. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 19. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05284-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-05284-2_6

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-05283-5

  • Online ISBN: 978-3-642-05284-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation