Accurate traffic measurement is essential for both network management tasks (e.g.,capacity planning, traffic engineering) and security forensics (e.g., detecting malicious traffic such as portscans or DoS attacks). Various sampling techniques have been proposed for traffic measurements in high-speed backbone networks to reduce storage and processing overhead. There are well-studied trade-offs between the accuracy, efficiency, and scalability in choosing a specific sampling method or rate for traffic engineering purposes. However, a detailed study of whether sampled data is sufficient for anomaly detection is necessary.
|
|
This project seeks to answer this question: Does sampled data capture sufficient information for effective anomaly detection? Through experiments using real traffic traces, we have quantified how existing sampling schemes (e.g., random packet sampling, random flow sampling, smart sampling, and sample-and-hold) affect the performance of a waveletbased volume anomaly detection method and two portscan detection algorithms. |
We believe that the lessons learned in our preliminary explorations can be leveraged to address these accuracy and efficiency tradeoffs in designing better sampling techniques. Anomaly detection operates on a significantly different information region, which is often overlooked by existing traffic accounting methods that target heavy-hitters. Better measurement techniques need to adapt to the needs of anomaly detections as well as traffic engineering, whether it be flow statistics or access patterns.
| People |
|
Faculty
Graduate Students |
Collaborators
Past Collaborators |
| Publications |
| Acknowlegements |
Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.