The KIPS Transactions:PartC (정보처리학회논문지C)

Korea Information Processing Society (한국정보처리학회)
권호 표지
DOI QR코드

DOI QR Code

A Real-Time Network Traffic Anomaly Detection Scheme Using NetFlow Data

NetFlow 데이터를 이용한 실시간 네트워크 트래픽 어노멀리 검출 기법

  • 강구홍 (서원대학교 컴퓨터정보통신공학부) ;
  • 장종수 (한국전자통신연구원 네트워크보안그룹) ;
  • 김기영 (한국전자통신연구원 네트워크보안그룹)
  • Published : 2005.02.01
Download PDF
⟨ Previous Next ⟩

Abstract

Recently, it has been sharply increased the interests to detect the network traffic anomalies to help protect the computer network from unknown attacks. In this paper, we propose a new anomaly detection scheme using the simple linear regression analysis for the exported LetFlow data, such as bits per second and flows per second, from a border router at a campus network. In order to verify the proposed scheme, we apply it to a real campus network and compare the results with the Holt-Winters seasonal algorithm. In particular, we integrate it into the RRDtooi for detecting the anomalies in real time.

최근 알려지지 않은 공격(unknown attack)으로부터 네트워크를 보호하기 위한 네트워크 트래픽 어노멀리(anomaly) 검출에 대한 관심이 고조되고 있다. 본 논문에서는 캠퍼스 네트워크의 보드라우터(border router)의 NetFlow 데이터로 제공되는 초당비트수(bits per second)와 초당플로수(flows per second)의 상관관계를 단순회귀분석을 통하여 새로운 어노멀리 검출 기법을 제시하였다. 새로이 제안된 기법을 검증하기 위해 실지 캠퍼스 네트워크에 적용하였으며 그 결과론 Holt-Winters seasonal(HWS) 알고리즘과 비교하였다. 특히, 제안된 기법은 기존 RRDtool에 통합시켜 실시간 검출이 가능하도록 설계하였다.

Keywords

References

  1. M. Roesch, 'Snort Lightweight Intrusion Detection for Networks,' Proc. USENIX LISA'99 pp.101-109, 1999
  2. H. Debar, M. Dacier, and A. Wespi, 'Towards a taxonomy of intrusion-detection systems,' Computer Networks, Vol.31, No.8, pp.805-822, 1990 https://doi.org/10.1016/S1389-1286(98)00017-6
  3. F. Gong, 'Next Generation Intrusion Detection System (IDS),' IntruVert Networks Report, 2002
  4. Mattew V. Mahoney, and Philip K. Chan, 'Learning Nonstationay Models of Normal Network Traffic for Detecting Novel Attacks,' in Proceedings of SIGKDD'02, 2002
  5. S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, 'A Sense of Self for Unix Processing,' Proc. of IEEE Symp. Computer Security and Privacy, pp.120-128, May 1996 https://doi.org/10.1109/SECPRI.1996.502675
  6. Eleazar Eskin. 'Anomaly Detection over Noisy Data using Learned Probability Distributions,' in Proceedings of ICML-2000, 2000
  7. Paul Barford and David Plonka, 'Characteristics of Network Traffic Flow Anomalies,' in Proceedings of the ACM Internet Measurement Workshop, Nov., 2001 https://doi.org/10.1145/505202.505211
  8. Paul Barford, Jeffery Kline, David Plonka, and Amos Ron, 'A Signal Analysis of Network Traffic Anomalies,' in Proceedings of the ACM Internet Measurement Workshop, Nov. 2002 https://doi.org/10.1145/637201.637210
  9. Jake D. Brutlag, 'Aberrant Behavior Detection in Time Series for Network Monitoring,' in Proceedings of the USENIX Fourteenth system Administration Conference LISA XIV, 2000
  10. Peter J. Brockwell, and Richard A. Davis, Introduction to Time Series and Forecasting, Springer-Verlag, 1996
  11. D. C. Montgomery, and E. A. Peck, Introduction to Linear Regression Analysis, 2nd Ed., John Wiley & Sons, Inc., 1992
  12. D. Plonka, 'Flowscan : A network traffic flow reporting and visualization tool,' in Proceedings of the USENIX Fourteenth system Administration Conference LISA XIV, 2000
  13. Cisco, NetFlow Services Solutions Guide, Cisco White Paper, 2001
  14. T. Oetiker, The RRDtool manuals, http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/manual/index.html
  15. J. R. Allen, The Cricket reference guide, http://cricket.sourceforge.net/support/doc/reference.html
  16. SPSS manual, http://www.spss.com
  17. K. McCloghrie, and M. Rose, 'Management information base for network management of tcp/ip based internets : Mib 2,' RFC1213, 1991