Kim, Seong Soo (2005-05). Real-time analysis of aggregate network traffic for anomaly detection. Doctoral Dissertation. Thesis uri icon

abstract

  • The frequent and large-scale network attacks have led to an increased need for
    developing techniques for analyzing network traffic. If efficient analysis tools were
    available, it could become possible to detect the attacks, anomalies and to appropriately
    take action to contain the attacks before they have had time to propagate across the
    network.
    In this dissertation, we suggest a technique for traffic anomaly detection based on
    analyzing the correlation of destination IP addresses and distribution of image-based
    signal in postmortem and real-time, by passively monitoring packet headers of traffic.
    This address correlation data are transformed using discrete wavelet transform for
    effective detection of anomalies through statistical analysis. Results from trace-driven
    evaluation suggest that the proposed approach could provide an effective means of
    detecting anomalies close to the source. We present a multidimensional indicator using
    the correlation of port numbers as a means of detecting anomalies.
    We also present a network measurement approach that can simultaneously detect,
    identify and visualize attacks and anomalous traffic in real-time. We propose to
    represent samples of network packet header data as frames or images. With such a
    formulation, a series of samples can be seen as a sequence of frames or video. Thisenables techniques from image processing and video compression such as DCT to be
    applied to the packet header data to reveal interesting properties of traffic. We show that
    ??scene change analysis?? can reveal sudden changes in traffic behavior or anomalies. We
    show that ??motion prediction?? techniques can be employed to understand the patterns of
    some of the attacks. We show that it may be feasible to represent multiple pieces of data
    as different colors of an image enabling a uniform treatment of multidimensional packet
    header data.
    Measurement-based techniques for analyzing network traffic treat traffic volume
    and traffic header data as signals or images in order to make the analysis feasible. In this
    dissertation, we propose an approach based on the classical Neyman-Pearson Test
    employed in signal detection theory to evaluate these different strategies. We use both of
    analytical models and trace-driven experiments for comparing the performance of
    different strategies. Our evaluations on real traces reveal differences in the effectiveness
    of different traffic header data as potential signals for traffic analysis in terms of their
    detection rates and false alarm rates. Our results show that address distributions and
    number of flows are better signals than traffic volume for anomaly detection. Our results
    also show that sometimes statistical techniques can be more effective than the NP-test
    when the attack patterns change over time.

publication date

  • May 2005