• 제목/요약/키워드: Anomaly Traffic

Search Result 86, Processing Time 0.022 seconds

A Flow-based Detection Method for VoIP Anomaly Traffic (VoIP 이상 트래픽의 플로우 기반 탐지 방법)

  • Son, Hyeon-Gu;Lee, Young-Seok
    • Journal of KIISE:Information Networking
    • /
    • v.37 no.4
    • /
    • pp.263-271
    • /
    • 2010
  • SIP/RTP-based VoIP services are being popular. Recently, however, VoIP anomaly traffic such as delay, interference and termination of call establishment, and degradation of voice quality has been reported. An attacker could intercept a packet, and obtain user and header information so as to generate an anomaly traffic, because most Korean VoIP applications do not use standard security protocols. In this paper, we propose three VoIP anomaly traffic generation methods for CANCEL;BYE DoS and RTP flooding, and a detection method through flow-based traffic measurement. From our experiments, we showed that 97% of anomaly traffic could be detected in real commercial VoIP networks in Korea.

Traffic Anomaly Detection for Campus Networks using Fisher Linear Discriminant (Fisher 선형 분류법을 이용한 비정상 트래픽 탐지)

  • Park, Hyun-Hee;Kim, Mee-Joung;Kang, Chul-Hee
    • Journal of IKEEE
    • /
    • v.13 no.2
    • /
    • pp.140-149
    • /
    • 2009
  • Traffic anomaly detection is one of important technology that should be considered in network security and administration. In this paper, we propose an abnormal traffic detection mechanism that includes traffic monitoring and traffic analysis. We develop analytical passive monitoring system called WISE-Mon which can inspect traffic behavior. We establish a criterion by analyzing the characteristics of a traffic training set. To detect abnormal traffic, we derive a hyperplane by using Fisher linear discriminant and chi-square distribution as well as the analyzed characteristics of traffic. Our mechanism can support reliable results for traffic anomaly detection and is compatible to real-time detection. In addition, since the trend of traffic can be changed as time passes, the hyperplane has to be updated periodically to reflect the changes. Accordingly, we consider the self-learning algorithm which reflects the trend of the traffic and so enables to increase the pliability of detection probability. Numerical results are presented to validate the accuracy of proposed mechanism. It shows that the proposed mechanism is reliable and relevant for traffic anomaly detection.

  • PDF

A Study on Traffic Anomaly Detection Scheme Based Time Series Model (시계열 모델 기반 트래픽 이상 징후 탐지 기법에 관한 연구)

  • Cho, Kang-Hong;Lee, Do-Hoon
    • The Journal of Korean Institute of Communications and Information Sciences
    • /
    • v.33 no.5B
    • /
    • pp.304-309
    • /
    • 2008
  • This paper propose the traffic anomaly detection scheme based time series model. We apply ARIMA prediction model to this scheme and transform the value of the abnormal symptom into the probability value to maximize the traffic anomaly symptom detection. For this, we have evaluated the abnormal detection performance for the proposed model using total traffic and web traffic included the attack traffic. We will expect to have an great effect if this scheme is included in some network based intrusion detection system.

A Probabilistic Sampling Method for Efficient Flow-based Analysis

  • Jadidi, Zahra;Muthukkumarasamy, Vallipuram;Sithirasenan, Elankayer;Singh, Kalvinder
    • Journal of Communications and Networks
    • /
    • v.18 no.5
    • /
    • pp.818-825
    • /
    • 2016
  • Network management and anomaly detection are challenges in high-speed networks due to the high volume of packets that has to be analysed. Flow-based analysis is a scalable method which reduces the high volume of network traffic by dividing it into flows. As sampling methods are extensively used in flow generators such as NetFlow, the impact of sampling on the performance of flow-based analysis needs to be investigated. Monitoring using sampled traffic is a well-studied research area, however, the impact of sampling on flow-based anomaly detection is a poorly researched area. This paper investigates flow sampling methods and shows that these methods have negative impact on flow-based anomaly detection. Therefore, we propose an efficient probabilistic flow sampling method that can preserve flow traffic distribution. The proposed sampling method takes into account two flow features: Destination IP address and octet. The destination IP addresses are sampled based on the number of received bytes. Our method provides efficient sampled traffic which has the required traffic features for both flow-based anomaly detection and monitoring. The proposed sampling method is evaluated using a number of generated flow-based datasets. The results show improvement in preserved malicious flows.

DNS key technologies based on machine learning and network data mining

  • Xiaofei Liu;Xiang Zhang;Mostafa Habibi
    • Advances in concrete construction
    • /
    • v.17 no.2
    • /
    • pp.53-66
    • /
    • 2024
  • Domain Name Systems (DNS) provide critical performance in directing Internet traffic. It is a significant duty of DNS service providers to protect DNS servers from bandwidth attacks. Data mining techniques may identify different trends in detecting anomalies, but these approaches are insufficient to provide adequate methods for querying traffic data in significant network environments. The patterns can enable the providers of DNS services to find anomalies. Accordingly, this research has used a new approach to find the anomalies using the Neural Network (NN) because intrusion detection techniques or conventional rule-based anomaly are insufficient to detect general DNS anomalies using multi-enterprise network traffic data obtained from network traffic data (from different organizations). NN was developed, and its results were measured to determine the best performance in anomaly detection using DNS query data. Going through the R2 results, it was found that NN could satisfactorily perform the DNS anomaly detection process. Based on the results, the security weaknesses and problems related to unpredictable matters could be practically distinguished, and many could be avoided in advance. Based on the R2 results, the NN could perform remarkably well in general DNS anomaly detection processing in this study.

A Moving Window Principal Components Analysis Based Anomaly Detection and Mitigation Approach in SDN Network

  • Wang, Mingxin;Zhou, Huachun;Chen, Jia
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.12 no.8
    • /
    • pp.3946-3965
    • /
    • 2018
  • Network anomaly detection in Software Defined Networking, especially the detection of DDoS attack, has been given great attention in recent years. It is convenient to build the Traffic Matrix from a global view in SDN. However, the monitoring and management of high-volume feature-rich traffic in large networks brings significant challenges. In this paper, we propose a moving window Principal Components Analysis based anomaly detection and mitigation approach to map data onto a low-dimensional subspace and keep monitoring the network state in real-time. Once the anomaly is detected, the controller will install the defense flow table rules onto the corresponding data plane switches to mitigate the attack. Furthermore, we evaluate our approach with experiments. The Receiver Operating Characteristic curves show that our approach performs well in both detection probability and false alarm probability compared with the entropy-based approach. In addition, the mitigation effect is impressive that our approach can prevent most of the attacking traffic. At last, we evaluate the overhead of the system, including the detection delay and utilization of CPU, which is not excessive. Our anomaly detection approach is lightweight and effective.

Anomaly Detection Scheme of Web-based attacks by applying HMM to HTTP Outbound Traffic (HTTP Outbound Traffic에 HMM을 적용한 웹 공격의 비정상 행위 탐지 기법)

  • Choi, Byung-Ha;Choi, Sung-Kyo;Cho, Kyung-San
    • Journal of the Korea Society of Computer and Information
    • /
    • v.17 no.5
    • /
    • pp.33-40
    • /
    • 2012
  • In this paper we propose an anomaly detection scheme to detect new attack paths or new attack methods without false positives by monitoring HTTP Outbound Traffic after efficient training. Our proposed scheme detects web-based attacks by comparing tags or javascripts of HTTP Outbound Traffic with normal behavioral models which apply HMM(Hidden Markov Model). Through the verification analysis under the real-attacked environment, we show that our scheme has superior detection capability of 0.0001% false positive and 96% detection rate.

Classifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly

  • Kim, Sung-Hyun;Lee, Hee-Jo
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.4 no.4
    • /
    • pp.671-690
    • /
    • 2010
  • The continuous growth of attacks in the Internet causes to generate a number of rules in security devices such as Intrusion Prevention Systems, firewalls, etc. Policy anomalies in security devices create security holes and prevent the system from determining quickly whether allow or deny a packet. Policy anomalies exist among the rules in multiple security devices as well as in a single security device. The solution for policy anomalies requires complex and complicated algorithms. In this paper, we propose a new method to remove policy anomalies in a single security device and avoid policy anomalies among the rules in distributed security devices. The proposed method classifies rules according to traffic direction and checks policy anomalies in each device. It is unnecessary to compare the rules for outgoing traffic with the rules for incoming traffic. Therefore, classifying rules by in-out traffic, the proposed method can reduce the number of rules to be compared up to a half. Instead of detecting policy anomalies in distributed security devices, one adopts the rules from others for avoiding anomaly. After removing policy anomalies in each device, other firewalls can keep the policy consistency without anomalies by adopting the rules of a trusted firewall. In addition, it blocks unnecessary traffic because a source side sends as much traffic as the destination side accepts. Also we explain another policy anomaly which can be found under a connection-oriented communication protocol.

Anomaly Detection Method Using Entropy of Network Traffic Distributions (네트워크 트래픽 분포 엔트로피를 이용한 비정상행위 탐지 방법)

  • Kang Koo-Hong;Oh Jin-Tae;Jang Jong-Soo
    • The KIPS Transactions:PartC
    • /
    • v.13C no.3 s.106
    • /
    • pp.283-294
    • /
    • 2006
  • Hostile network traffic is often different from normal traffic in ways that can be distinguished without knowing the exact nature of the attack. In this paper, we propose a new anomaly detection method using inbound network traffic distributions. For this purpose, we first characterize the traffic of a real campus network by the distributions of IP protocols, packet length, destination IP/port addresses, TTL value, TCP SYN packet, and fragment packet. And then we introduce the concept of entropy to transform the obtained baseline traffic distributions into manageable values. Finally, we can detect the anomalies by the difference of entropies between the current and baseline distributions. In particular, we apply the well-known denial-of-service attacks to a real campus network and show the experimental results.

Mutual Information Applied to Anomaly Detection

  • Kopylova, Yuliya;Buell, Duncan A.;Huang, Chin-Tser;Janies, Jeff
    • Journal of Communications and Networks
    • /
    • v.10 no.1
    • /
    • pp.89-97
    • /
    • 2008
  • Anomaly detection systems playa significant role in protection mechanism against attacks launched on a network. The greatest challenge in designing systems detecting anomalous exploits is defining what to measure. Effective yet simple, Shannon entropy metrics have been successfully used to detect specific types of malicious traffic in a number of commercially available IDS's. We believe that Renyi entropy measures can also adequately describe the characteristics of a network as a whole as well as detect abnormal traces in the observed traffic. In addition, Renyi entropy metrics might boost sensitivity of the methods when disambiguating certain anomalous patterns. In this paper we describe our efforts to understand how Renyi mutual information can be applied to anomaly detection as an offline computation. An initial analysis has been performed to determine how well fast spreading worms (Slammer, Code Red, and Welchia) can be detected using our technique. We use both synthetic and real data audits to illustrate the potentials of our method and provide a tentative explanation of the results.