Abstract
The analysis of large amount of traffic data is the daily routine of Autonomous Systems and ISP operators. The detection of anomalies like denial-of-service (DoS) or distributed denial-of-service (DDoS) is also one of the main issues for critical services and infrastructures. The suitability of metrics coming from the information theory for detecting DoS and DDoS episodes has been widely analyzed in the past. Unfortunately, their effectiveness are often evaluated on synthetic data set, or, in other cases, on old and unrepresentative data set, e.g. the DARPA network dump. This paper presents the evaluation by means of main metrics proposed in the literature of a real and large network flow dataset, collected from an Italian transit tier II Autonomous System (AS) located in Rome. We show how we effectively detected and analyzed several attacks against Italian critical IT services, some of them also publicly announced. We further report the study of others legitimate and malicious activities we found by ex-post analysis.
This work has been partially supported by the European Commission Directorate General Home Affairs, under the GAINS project, HOME/2013/CIPS/AG/4000005057, and by the TENACE PRIN Project (n. 20103P34XC) funded by the Italian Ministry of Education, University and Research
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
In this paper we refer to a border router as a router that connect two, or more, autonomous systems.
- 2.
With the respect of the Non-Disclosure-Agreement of the ExTrABIRE project, no detailed information about AS (such as AS name or number) nor ISP interconnections will be provided in order to preserve AS and host privacy.
- 3.
- 4.
References
Chan, Y.-T.F., Shoniregun, C.A., Akmayeva, G.A..: A netflow based internet-worm detecting system in large network. In: Pichappan, P., Abraham, A. (eds.) Proceedings of Third IEEE International Conference on Digital Information Management (ICDIM), pp. 581–586. IEEE (2008)
Choo, K.-K.R.: High tech criminal threats to the national information infrastructure. Inf. Secur. Tech. Rep. 15, 104–111 (2010)
Dübendorfer, T., Wagner, A., Plattner, B.: A framework for real-time worm attack detection and backbone monitoring. In: Proceedings of 1st IEEE International Workshop on Critical Infrastructure Protection (IWCIP 2005) (2005)
Feinstein, L., Schnackenberg, D.: Statistical approaches to DDOS attack detection and response. In: Proceedings of the DARPA Information Survivability Conference and Exposition, pp. 303–314 (2003)
Hofstede, R., Bartoš, V., Sperotto, A., Pras, A.: Towards real-time intrusion detection for netflow and ipfix. In: Proceedings of the 9th International Conference on Network and Service Management, pp. 1–6. International Federation for Information Processing (2013)
Hugh, J.M.: Testing intrusion detection systems: a critique of the 1998 and 1999 DARPA intrusion detection system evaluations as performed by lincoln laboratory. ACM Trans. Inf. Syst. Secur. (TISSEC) 3, 262–294 (2000)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for cdns and web sites. In: Proceedings of the 11th International Conference on World Wide Web, WWW ’02, pp. 293–304. ACM, New York (2002)
Karagiannis, T., Papagiannaki, K., Faloutsos, M.: Blinc: multilevel traffic classification in the dark. In: Proceedings of the 2005 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications (SIGCOMM), vol. 35, No.4, pp. 229–240 (2005)
Lawniczak, A.T., Di Stefano, B.N., Wu, H.: Detection & study of DDoS attacks via entropy in data network models. In: Proceedings of the Second IEEE International Conference on Computational Intelligence for Security and Defense Applications, CISDA’09, pp. 59–66. IEEE Press, Piscataway (2009)
Li, K., Zhou, W., Yu, S.: Effective metric for detecting distributed denial-of-service attacks based on information divergence. IET Commun. 3(12), 1851–1860 (2009)
Li, K., Zhou, W., Yu, S., Dai, B.: Effective DDoS attacks detection using generalized entropy metric. In: Hua, A., Chang, S.-L. (eds.) ICA3PP 2009. LNCS, vol. 5574, pp. 266–280. Springer, Heidelberg (2009)
Li, L., Zhou, J., Xiao, N.: DDoS attack detection algorithms based on entropy computing. In: Qing, S., Imai, H., Wang, G. (eds.) ICICS 2007. LNCS, vol. 4861, pp. 452–466. Springer, Heidelberg (2007)
Mahoney, M.V., Chan, P.K.: An analysis of the 1999 DARPA/Lincoln laboratory evaluation data for network anomaly detection. In: Vigna, G., Kruegel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 220–237. Springer, Heidelberg (2003)
Mirkovic, J., Reiher, P.: A taxonomy of DDOS attack and DDOS defense mechanisms. SIGCOMM Comput. Commun. Rev. 34, 39–53 (2004)
No, G., Ra, I., An efficient and reliable DDOS attack detection using a fast entropy computation method. In: Proceedings of the 9th International Conference on Communications and Information Technologies, ISCIT’09. pp. 1223–1228. IEEE Press, Piscataway (2009)
Oshima, S., Nakashima, T., Sueyoshi, T.: DDoS detection technique using statistical analysis to generate quick response time. In: Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, BWCCA ’10, pp. 672–677. IEEE Computer Society, Washington, DC (2010)
Oshima, S., Nakashima, T., Sueyoshi, T.: Early DoS/DDOS detection method using short-term statistics. In: Proceedings of the 2010 International Conference on Complex, Intelligent and Software Intensive Systems, CISIS ’10, pp. 168–173. IEEE Computer Society, Washington, DC (2010)
Sardana, A., Joshi, R., Kim, T.: Deciding optimal entropic thresholds to calibrate the detection mechanism for variable rate DDOS attacks in ISP domain. In: Proceedings of the 2008 International Conference on Information Security and Assurance (isa 2008), pp. 270–275. IEEE Computer Society, Washington, DC (2008)
Silveira, F., Diot, C., Taft, N., Govindan, R.: ASTUTE: detecting a different class of anomalies. In: Proceedings of the ACM SIGCOMM Symposium on Network Architectures and Protocols, August 2010
Cisco Systems. Cisco Systems NetFlow Services Export Version 9 (2004). http://tools.ietf.org/html/rfc3954
Cisco Systems. Cisco 2011 Annual Security Repor, Highlighting global security threats and trends (2011). http://www.cisco.com/en/US/prod/vpndevc/annual_security_report.html
Tao, Y., Yu, S.: Ddos attack detection at local area networks using information theoretical metrics. In: Proceedings of 12th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 233–240, July 2013
Xiang, Y., Li, K., Zhou, W.: Low-rate DDOS attacks detection and traceback by using new information metrics. In: IEEE Transactions on Information Forensics and Security, vol. 99. IEEE Press (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Spognardi, A., Villani, A., Vitali, D., Mancini, L.V., Battistoni, R. (2014). Large-Scale Traffic Anomaly Detection: Analysis of Real Netflow Datasets. In: Obaidat, M., Filipe, J. (eds) E-Business and Telecommunications. ICETE 2012. Communications in Computer and Information Science, vol 455. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44791-8_12
Download citation
DOI: https://doi.org/10.1007/978-3-662-44791-8_12
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44790-1
Online ISBN: 978-3-662-44791-8
eBook Packages: Computer ScienceComputer Science (R0)