Anomaly Characterization in Flow-Based Traffic Time Series

Anna  Sperotto; Ramin Sadre; Aiko  Pras

doi:10.1007/978-3-540-87357-0_2

Anomaly Characterization in Flow-Based Traffic Time Series

Anna Sperotto, Ramin Sadre, Aiko Pras

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

19 Citations (Scopus)

13 Downloads (Pure)

Abstract

The increasing number of network attacks causes growing problems for network operators and users. Not only do these attacks pose direct security threats to our infrastructure, but they may also lead to service degradation, due to the massive traffic volume variations that are possible during such attacks. The recent spread of Gbps network technology made the problem of detecting these attacks harder, since existing packet-based monitoring and intrusion detection systems do not scale well to Gigabit speeds. Therefore the attention of the scientific community is shifting towards the possible use of aggregated traffic metrics. The goal of this paper is to investigate how malicious traffic can be characterized on the basis of such aggregated metrics, in particular by using flow, packet and byte frequency variations over time. The contribution of this paper is that it shows, based on a number of real case studies on high-speed networks, that all three metrics may be necessary for proper time series anomaly characterization.

Original language	English
Title of host publication	IP Operations and Management
Subtitle of host publication	8th IEEE International Workshop, IPOM 2008, Samos Island, Greece, September 22-26, 2008. Proceedings
Editors	Nail Akar, Michal Pioro, Charalabos Skianis
Place of Publication	Berlin
Publisher	Springer
Pages	15-27
Number of pages	13
ISBN (Electronic)	978-3-540-87357-0
ISBN (Print)	978-3-540-87356-3
DOIs	https://doi.org/10.1007/978-3-540-87357-0_2
Publication status	Published - 25 Sept 2008
Event	8th IEEE International Workshop on IP Operations and Management, IPOM 2008 - Samos, Greece Duration: 22 Sept 2008 → 26 Sept 2008 Conference number: 8

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	5275
ISSN (Print)	1611-3349
ISSN (Electronic)	1611-3349

Workshop

Workshop	8th IEEE International Workshop on IP Operations and Management, IPOM 2008
Abbreviated title	IPOM
Country/Territory	Greece
City	Samos
Period	22/09/08 → 26/09/08

Keywords

EWI-13579
IR-62480
METIS-251219

Access to Document

10.1007/978-3-540-87357-0_2

Cite this

Sperotto, A., Sadre, R., & Pras, A. (2008). Anomaly Characterization in Flow-Based Traffic Time Series. In N. Akar, M. Pioro, & C. Skianis (Eds.), IP Operations and Management: 8th IEEE International Workshop, IPOM 2008, Samos Island, Greece, September 22-26, 2008. Proceedings (pp. 15-27). (Lecture Notes in Computer Science; Vol. 5275). Springer. https://doi.org/10.1007/978-3-540-87357-0_2

@inproceedings{92b76633ccd648a394dfdde4742fe5b4,

title = "Anomaly Characterization in Flow-Based Traffic Time Series",

abstract = "The increasing number of network attacks causes growing problems for network operators and users. Not only do these attacks pose direct security threats to our infrastructure, but they may also lead to service degradation, due to the massive traffic volume variations that are possible during such attacks. The recent spread of Gbps network technology made the problem of detecting these attacks harder, since existing packet-based monitoring and intrusion detection systems do not scale well to Gigabit speeds. Therefore the attention of the scientific community is shifting towards the possible use of aggregated traffic metrics. The goal of this paper is to investigate how malicious traffic can be characterized on the basis of such aggregated metrics, in particular by using flow, packet and byte frequency variations over time. The contribution of this paper is that it shows, based on a number of real case studies on high-speed networks, that all three metrics may be necessary for proper time series anomaly characterization.",

keywords = "EWI-13579, IR-62480, METIS-251219",

author = "Anna Sperotto and Ramin Sadre and Aiko Pras",

year = "2008",

month = sep,

day = "25",

doi = "10.1007/978-3-540-87357-0_2",

language = "English",

isbn = "978-3-540-87356-3",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "15--27",

editor = "Nail Akar and Michal Pioro and Charalabos Skianis",

booktitle = "IP Operations and Management",

address = "Germany",

note = "8th IEEE International Workshop on IP Operations and Management, IPOM 2008, IPOM ; Conference date: 22-09-2008 Through 26-09-2008",

}

Sperotto, A, Sadre, R & Pras, A 2008, Anomaly Characterization in Flow-Based Traffic Time Series. in N Akar, M Pioro & C Skianis (eds), IP Operations and Management: 8th IEEE International Workshop, IPOM 2008, Samos Island, Greece, September 22-26, 2008. Proceedings. Lecture Notes in Computer Science, vol. 5275, Springer, Berlin, pp. 15-27, 8th IEEE International Workshop on IP Operations and Management, IPOM 2008, Samos, Greece, 22/09/08. https://doi.org/10.1007/978-3-540-87357-0_2

Anomaly Characterization in Flow-Based Traffic Time Series. / Sperotto, Anna ; Sadre, Ramin; Pras, Aiko .
IP Operations and Management: 8th IEEE International Workshop, IPOM 2008, Samos Island, Greece, September 22-26, 2008. Proceedings. ed. / Nail Akar; Michal Pioro; Charalabos Skianis. Berlin: Springer, 2008. p. 15-27 (Lecture Notes in Computer Science; Vol. 5275).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Anomaly Characterization in Flow-Based Traffic Time Series

AU - Sperotto, Anna

AU - Sadre, Ramin

AU - Pras, Aiko

N1 - Conference code: 8

PY - 2008/9/25

Y1 - 2008/9/25

N2 - The increasing number of network attacks causes growing problems for network operators and users. Not only do these attacks pose direct security threats to our infrastructure, but they may also lead to service degradation, due to the massive traffic volume variations that are possible during such attacks. The recent spread of Gbps network technology made the problem of detecting these attacks harder, since existing packet-based monitoring and intrusion detection systems do not scale well to Gigabit speeds. Therefore the attention of the scientific community is shifting towards the possible use of aggregated traffic metrics. The goal of this paper is to investigate how malicious traffic can be characterized on the basis of such aggregated metrics, in particular by using flow, packet and byte frequency variations over time. The contribution of this paper is that it shows, based on a number of real case studies on high-speed networks, that all three metrics may be necessary for proper time series anomaly characterization.

AB - The increasing number of network attacks causes growing problems for network operators and users. Not only do these attacks pose direct security threats to our infrastructure, but they may also lead to service degradation, due to the massive traffic volume variations that are possible during such attacks. The recent spread of Gbps network technology made the problem of detecting these attacks harder, since existing packet-based monitoring and intrusion detection systems do not scale well to Gigabit speeds. Therefore the attention of the scientific community is shifting towards the possible use of aggregated traffic metrics. The goal of this paper is to investigate how malicious traffic can be characterized on the basis of such aggregated metrics, in particular by using flow, packet and byte frequency variations over time. The contribution of this paper is that it shows, based on a number of real case studies on high-speed networks, that all three metrics may be necessary for proper time series anomaly characterization.

KW - EWI-13579

KW - IR-62480

KW - METIS-251219

U2 - 10.1007/978-3-540-87357-0_2

DO - 10.1007/978-3-540-87357-0_2

M3 - Conference contribution

SN - 978-3-540-87356-3

T3 - Lecture Notes in Computer Science

SP - 15

EP - 27

BT - IP Operations and Management

A2 - Akar, Nail

A2 - Pioro, Michal

A2 - Skianis, Charalabos

PB - Springer

CY - Berlin

T2 - 8th IEEE International Workshop on IP Operations and Management, IPOM 2008

Y2 - 22 September 2008 through 26 September 2008

ER -

Anomaly Characterization in Flow-Based Traffic Time Series

Abstract

Publication series

Workshop

Keywords

Access to Document

Fingerprint

Cite this