Skip to main content
SpringerLink
Log in

Anomaly Characterization in Flow-Based Traffic Time Series

  • Conference paper
IP Operations and Management (IPOM 2008)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 5275))

Included in the following conference series:

Abstract

The increasing number of network attacks causes growing problems for network operators and users. Not only do these attacks pose direct security threats to our infrastructure, but they may also lead to service degradation, due to the massive traffic volume variations that are possible during such attacks. The recent spread of Gbps network technology made the problem of detecting these attacks harder, since existing packet-based monitoring and intrusion detection systems do not scale well to Gigabit speeds. Therefore the attention of the scientific community is shifting towards the possible use of aggregated traffic metrics. The goal of this paper is to investigate how malicious traffic can be characterized on the basis of such aggregated metrics, in particular by using flow, packet and byte frequency variations over time. The contribution of this paper is that it shows, based on a number of real case studies on high-speed networks, that all three metrics may be necessary for proper time series anomaly characterization.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Claise, B.: Cisco Systems NetFlow Services Export Version 9. Request for Comments: 3954, IETF (October 2004)

    Google Scholar 

  2. Dubendorfer, T., Plattner, B.: Host behaviour based early detection of worm outbreaks in internet backbones. In: WETICE 2005: Proc. of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, pp. 166–171. IEEE Computer Society, Washington (2005)

    Chapter  Google Scholar 

  3. Gao, Y., Li, Z., Chen, Y.: A dos resilient flow-level intrusion detection approach for high-speed networks. In: ICDCS 2006: 26th IEEE International Conference on Distributed Computing Systems, pp. 39–39 (2006)

    Google Scholar 

  4. Munz, G., Carle, G.: Real-time analysis of flow data for network attack detection. In: IM 2007: 10th IFIP/IEEE International Symposium on Integrated Network Management, 2007, pp. 100–108 (2007)

    Google Scholar 

  5. Haag, P.: Nfsen: Netflow sensor (April 2008), nfsen.sourceforge.net

  6. He, G., Hou, J.C.: An in-depth, analytical study of sampling techniques for self-similar internet traffic. In: ICDCS 2005: Proc. of the 25th IEEE International Conference on Distributed Computing Systems, pp. 404–413. IEEE Computer Society, Los Alamitos (2005)

    Google Scholar 

  7. Izkue, E., Magaña, E.: Sampling time-dependent parameters in high-speed network monitoring. In: PM2HW2N 2006: Proc. of the ACM international workshop on Performance monitoring, measurement, and evaluation of heterogeneous wireless and wired networks, pp. 13–17. ACM, New York (2006)

    Chapter  Google Scholar 

  8. Lakhina, A., Crovella, M., Diot, C.: Characterization of network-wide anomalies in traffic flows. In: IMC 2004: Proc. of the 4th ACM SIGCOMM conference on Internet measurement, pp. 201–206. ACM, New York (2004)

    Chapter  Google Scholar 

  9. Lakhina, A., Crovella, M., Diot, C.: Diagnosing network-wide traffic anomalies. In: SIGCOMM 2004: Proc. of the Conference on Applications, technologies, architectures, and protocols for computer comm., pp. 219–230. ACM, New York (2004)

    Chapter  Google Scholar 

  10. Lakhina, A., Papagiannaki, K., Crovella, M., Diot, C., Kolaczyk, E.D., Taft, N.: Structural analysis of network traffic flows. SIGMETRICS Perform. Eval. Rev. 32(1), 61–72 (2004)

    Article  Google Scholar 

  11. Yang, L., Michailidis, G.: Sampled based estimation of network traffic flow characteristics. In: INFOCOM 2007. 26th IEEE International Conference on Computer Communications, pp. 1775–1783. IEEE, Los Alamitos (2007)

    Chapter  Google Scholar 

  12. Cisco IOS NetFlow (April 2008), http://www.cisco.com/go/netflow

  13. Cisco IOS NetFlow Configuration Guide (April 2008), http://www.cisco.com

  14. IP Flow Information Export Working Group (April 2008), http://www.ietf.org/html.charters/ipfix-charter.html

  15. Plonka, D.: Flowscan (April 2008), http://www.caida.org/tools/utilities/flowscan/

  16. Internet2 NetFlow: Weekly Reports. netflow.internet2.edu/weekly (April 2008)

    Google Scholar 

  17. sFlow (April 2008), http://www.sflow.org

  18. SURFnet (April 2008), http://www.surfnet.nl

  19. Zhang, Y., Ge, Z., Greenberg, A., Roughan, M.: Network anomography. In: Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, pp. 317–330. USENIX Association (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centre for Telematics and Information Technology Faculty of Electrical Engineering, Mathematics and Computer Science, University of Twente, P.O. Box 217, 7500 AE, Enschede, The Netherlands

    Anna Sperotto, Ramin Sadre & Aiko Pras

Authors
  1. Anna Sperotto
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ramin Sadre
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Aiko Pras
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Electrical and Electronics Engineering Department, Bilkent University, 06800, Ankara, Turkey

    Nail Akar

  2. Institute of Telecommunications,, Warsaw University of Technology,, 00-661, Warsaw, Poland

    Michal Pioro

  3. Department of Information and Communications Systems Engineering, University of the Aegean, 811 00, Lesvos, Mytilene, Greece

    Charalabos Skianis

Rights and permissions

Reprints and permissions

Copyright information

© 2008 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Sperotto, A., Sadre, R., Pras, A. (2008). Anomaly Characterization in Flow-Based Traffic Time Series. In: Akar, N., Pioro, M., Skianis, C. (eds) IP Operations and Management. IPOM 2008. Lecture Notes in Computer Science, vol 5275. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-87357-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-540-87357-0_2

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-87356-3

  • Online ISBN: 978-3-540-87357-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation