a signal analysis of network traffic anomalies
play

A Signal Analysis of Network Traffic Anomalies Paul Barford with - PowerPoint PPT Presentation

Sep 27, 2022 •262 likes •465 views

A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin Madison Fall, 2002 Overview Motivation: Anomaly detection remains difficult Objective : Improve

  1. A Signal Analysis of Network Traffic Anomalies Paul Barford with Jeffery Kline, David Plonka, Amos Ron University of Wisconsin – Madison Fall, 2002

  2. Overview • Motivation: Anomaly detection remains difficult • Objective : Improve understanding of traffic anomalies • Approach : Multiresolution analysis of data set that includes IP flow, SNMP and an anomaly catalog • Method : Integrated Measurement Analysis Platform for Internet Traffic (IMAPIT) • Results : Identify anomaly characteristics using wavelets and develop new method for exposing short-lived events pb@cs.wisc.ecdu 2

  3. Our Data Sets • Consider anomalies in IP flow and SNMP data – Collected at UW border router (Juniper M10) – Archive of ~6 months worth of data (packets, bytes, flows) – Includes catalog of anomalies (after-the-fact analysis) • Group observed anomalies into four categories – Network anomalies (41) • Steep drop offs in service followed by quick return to normal behavior – Flash crowd anomalies (4) • Steep increase in service followed by slow return to normal behavior – Attack anomalies (46) • Steep increase in flows in one direction followed by quick return to normal behavior – Measurement anomalies (18) • Short-lived anomalies which are not network anomalies or attacks pb@cs.wisc.ecdu 3

  4. pb@cs.wisc.ecdu 4

  5. Multiresolution Analysis • Wavelets provide a means for describing time series data that considers both frequency and time – Powerful means for characterizing data with sharp spikes and discontinuities – Using wavelets can be quite tricky • We use tools developed at UW which together make up IMAPIT – FlowScan software – The IDR Framenet software pb@cs.wisc.ecdu 5

  6. Our Wavelet System • After evaluating different candidates we selected a wavelet system called Pseudo Splines(4,1) Type 2. – A framelet system developed by Daubechies et al. ‘00 – Very good frequency localization properties • Three output signals are extracted – Low Frequency (L) : synthesis of all wavelet coefficients from level 9 and up – Mid Frequency (M) : synthesis of wavelet coefficients 6, 7, 8 – High Frequency (H) : synthesis of wavelet coefficients 1 to 5 pb@cs.wisc.ecdu 6

  7. Ambient IP Flow Traffic One Autonomous System to Campus, Inbound, 2001-DEC-16 through 2001-DEC-23 20 M bytes, original signal Bytes/sec 15 M 10 M 5 M 0 6 M 4 M 2 M 0 -2 M bytes, high-band -4 M -6 M 4 M 2 M 0 -2 M bytes, mid-band -4 M 20 M bytes, low-band 15 M 10 M 5 M 0 Sat Sun Mon Tue Wed Thu Fri Sat Sun pb@cs.wisc.ecdu 7

  8. Ambient SNMP Traffic One Interface to Campus, Inbound, 2001-DEC-16 through 2001-DEC-23 20 M bytes, original signal Bytes/sec 15 M 10 M 5 M 0 6 M 4 M 2 M 0 -2 M bytes, high-band -4 M -6 M 4 M 2 M 0 -2 M bytes, mid-band -4 M 20 M bytes, low-band 15 M 10 M 5 M 0 Sat Sun Mon Tue Wed Thu Fri Sat Sun pb@cs.wisc.ecdu 8

  9. Byte Traffic for Flash Crowd Class-B Network, Outbound, 2001-SEP-30 through 2001-NOV-25 30 M Outbound Class-B Network Bytes, original signal 25 M Bytes/sec 20 M 15 M 10 M 5 M 0 Outbound Class-B Network Bytes, mid-band 5 M 0 -5 M -10 M 20 M Outbound Class-B Network Bytes, low-band 15 M 10 M 5 M 0 Oct-01 Oct-08 Oct-15 Oct-22 Oct-29 Nov-05 Nov-12 Nov-19 Nov-26 pb@cs.wisc.ecdu 9

  10. Average Packet Size for Flash Crowd Campus HTTP, Outbound, 2001-SEP-30 through 2001-NOV-25 1500 1000 Bytes 500 outbound HTTP average packet size signal 0 300 200 100 0 -100 outound HTTP average packet size, mid-band -200 -300 1500 1000 500 outbound HTTP average packet size, low-band 0 Oct-01 Oct-08 Oct-15 Oct-22 Oct-29 Nov-05 Nov-12 Nov-19 Nov-26 pb@cs.wisc.ecdu 10

  11. Flow Traffic During DoS Attacks Campus TCP, Inbound, 2002-FEB-03 through 2002-FEB-10 400 Flows/sec Inbound TCP Flows, original signal 300 200 100 0 200 Inbound TCP Flows, high-band 150 100 50 0 30 20 10 0 -10 Inbound TCP Flows, mid-band -20 -30 400 Inbound TCP Flows, low-band 300 200 100 0 Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 11

  12. Byte Traffic During Measurement Anomalies Campus TCP, Inbound, 2002-FEB-10 through 2002-FEB-17 30 M Inbound TCP Bytes, original signal Bytes/sec 20 M 10 M 0 8 M 6 M Inbound TCP Bytes, high-band 4 M 2 M 0 -2 M -4 M 6 M Inbound TCP Bytes, mid-band 4 M 2 M 0 -2 M 30 M Inbound TCP Bytes, low-band 20 M 10 M 0 Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 12

  13. Anomaly Detection via Deviation Score • Short-lived anomalies can be identified automatically based on variability in H and M signals 1. Compute local variability (using specified window) of H and M parts of signal 2. Combine local variability of H and M signals (using a weighted sum) and normalize by total variability to get deviation score V 3. Apply threshold to V then measure peaks • Analysis shows that V peaks over 2.0 indicate short- lived anomalies with high confidence – We threshold at V = 1.25 and set window size to 3 hours pb@cs.wisc.ecdu 13

  14. Deviation Score for Three Anomalies Campus TCP, Inbound, 2002-FEB-03 through 2002-FEB-10 50 k 2 Inbound TCP Packets Deviation Score 40 k 30 k Packets/sec Score 20 k 1.5 10 k 0 Mon Mon Tue Tue Sun Sun Wed Wed Thu Thu Fri Fri Sat Sat pb@cs.wisc.ecdu 14

  15. Deviation Score for Network Outage Inbound Outbound 30 M 2 Bytes/sec 20 M Score 10 M 1.5 0 40 k 2 30 k Pkts/sec Score 20 k 1.5 10 k 0 200 2 150 Flows/sec Score 100 1.5 50 0 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 15

  16. Anomalies in Aggregate Signals Inbound Outbound 600 k 2 500 k Bytes/sec 400 k Score 300 k 200 k 1.5 100 k 0 20 k 2 15 k Pkts/sec Score 10 k 1.5 5 k 0 200 2 150 Flows/sec Score 100 1.5 50 0 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat Inbound Outbound 30 M 2 Bytes/sec 20 M Score 10 M 1.5 0 50 k 2 40 k Pkts/sec 30 k Score 20 k 1.5 10 k 0 300 2 250 Flows/sec 200 Score 150 100 1.5 50 0 Sun Mon Tue Wed Thu Fri Sat Sun Mon Tue Wed Thu Fri Sat pb@cs.wisc.ecdu 16

  17. Hidden Anomalies in Low Frequency Class-B Network, Outbound, 2001-NOV-25 through 2001-DEC-23 10 M 8 M Outbound Bytes, original signal Bytes/sec 6 M 4 M 2 M 0 3 M Outbound Bytes, high-band 2 M 1 M 0 -1 M -2 M 3 M Outbound Bytes, mid-band 2 M 1 M 0 -1 M -2 M -3 M 10 M 8 M Outbound Bytes, low-band 6 M 4 M 2 M 0 Nov-27 Dec-04 Dec-11 Dec-18 Dec-25 pb@cs.wisc.ecdu 17

  18. Deviation Score Evaluation • How effective is deviation score at detecting anomalies? – Compare versus set of 39 anomalies • Set is unlikely to be complete so we don’t treat false-positives – Compare versus Holt-Winters Forecasting • Time series technique • Requires some configuration • Holt-Winters reported many more positives and sometimes oscillated between values Total Candidates Candidates Candidate detected by detected by Anomalies Deviation Holt-Winters Score 39 38 37 pb@cs.wisc.ecdu 18

  19. Conclusion and Next Steps • We present an evaluation of signal characteristics of network traffic anomalies – Using IP flow and SNMP data collected at UW border router – IMAPIT developed to apply wavelet analysis to data – Deviation score developed to automate anomaly detection • Results – Characteristics of anomalies exposed using different filters and data – Deviation score appears promising as a detection method • Future – Development of anomaly classification methods – Application of results in (distributed) detection systems pb@cs.wisc.ecdu 19

Recommend

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and

Introduction Statement problem Mathematical background Algorithm Experiments Conclusions Detection and Classification of Anomalies in Network Traffic Using Generalized Entropies and OC-SVM with Mahalanobis Kernel Jayro Santiago-Paz, Deni

583 views • 23 slides
The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella,

The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella,

The Subspace Method for Diagnosing Network-Wide Traffic Anomalies Anukool Lakhina, Mark Crovella, Christophe Diot Whats happening in my network? Is my customer being attacked? probed? infected? Is there a sudden traffic shift?

374 views • 26 slides
Traffic signal optimization and traffic assignment Traffic signals Traffic signal optimization

Traffic signal optimization and traffic assignment Traffic signals Traffic signal optimization

Dagstuhl, October 2015 Traffic Signals and User Equilibria Martin Strehler , Ekkehard K ohler BTU Cottbus-Senftenberg { martin.strehler,ekkehard.koehler } @b-tu.de Traffic signal optimization and traffic assignment Traffic signals Traffic

577 views • 55 slides
Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods

Botnet Detection through Analyzing Network Traffic using Statistical Signal Processing Methods Basil AsSadhan Department of Electrical Engineering & Center of Excellence in Information Assurance King Saud University April 13-14, 2014

609 views • 39 slides
Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction

Network Traffic Characterization Srinidhi Varadarajan Traffic Analysis: Introduction Youve just invented the greatest protocol does everything including tying your shoelaces. What now? Need to know how it performs. Is it

510 views • 13 slides
using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis

Website Fingerprinting using Traffic Analysis Attacks Salini S K What is Traffic Analysis What is Traffic Analysis Wiki says What is Traffic Analysis Wiki says Process of intercepting and examining messages in order to deduce

1.15k views • 41 slides
Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets

Towards Provable Network Traffic Measurement and Analysis via Semi-Labeled Trace Datasets Network Traffic Measurement and Analysis Conference (TMA 2018) June 28, 2018 Milan Cermak et al. Institute of Computer Science, Masaryk University, Brno

575 views • 25 slides
this traffic signal will turn green? Why do I want to know when the signal turns green?

this traffic signal will turn green? Why do I want to know when the signal turns green?

How do I know, when this traffic signal will turn green? Why do I want to know when the signal turns green? 28.03.2012 Seminar in Distributed Computing Gianin Basler Introduction Traffic light countdown timer 28.03.2012 Seminar in

801 views • 49 slides
Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki,

Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki,

Structural Analysis of Network Traffic Flows Eric Kolaczyk Anukool Lakhina, Dina Papagiannaki, Mark Crovella, Christophe Diot, and Nina Taft Traditional Network What ISPs Care Traffic Analysis About Focus on Focus on Long,

1.09k views • 46 slides
Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools

Network Traffic Analysis & Cluster Analysis Exploring Hadoop Clusters using Free Tools Background and Goals: Apache Spot was started recently DNS, Netflow, PCAP data is analyzed The goal is to identify: suspicous

644 views • 19 slides
Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network

Trace-Share: Towards Provable Network Traffic Measurement and Analysis Special Session on Network Security at Prague Embedded Systems Workshop (PESW 2019) June 28, 2019 Milan Cermak Institute of Computer Science, Masaryk University, Brno 2 3

440 views • 20 slides
Integration of Crowdsourced Data into Automated Traffic Signal Performance Measures (ATSPMs)

Integration of Crowdsourced Data into Automated Traffic Signal Performance Measures (ATSPMs)

Integration of Crowdsourced Data into Automated Traffic Signal Performance Measures (ATSPMs) Adventures in Crowdsourcing: Traffic Signal Applications February 27, 2020 Justin R. Effinger, P.E. Lake County PASSAGE ATMS Platform

461 views • 18 slides
Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic blockchains analysis for Bitcoin and derived

Transaction clustering using network traffic analysis for Bitcoin and derived Transaction clustering using network traffic blockchains analysis for Bitcoin and derived blockchains Biryukov, Tikhomirov Introduction Network privacy Alex

491 views • 30 slides
ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and

ICmyNet.Flow: NetFlow based traffic investigation analysis traffic investigation, analysis, and reporting Slavko Gajin slavko.gajin@ rcub.bg.ac.rs AMRES Academic Network of Serbia RCUB - Belgrade University Computer Center ETF

641 views • 46 slides
High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges &

High Speed Traffic Analysis for High-Speed Traffic Analysis for Security: Challenges & Approaches Security: Challenges & Approaches C-DAC Asia-Pacific Advanced Network 32 nd Meeting, India Habitat Centre, New Delhi APAN 32nd Meeting,

647 views • 28 slides
ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

IN INTRODUCTION TO TRAFFIC ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC ANALYSIS 1. Except for user terminals, the telephone network is composed of a variety of common 45 Trunks equipment

385 views • 17 slides
Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1

Pentest Accountability By Analyzing Network Traffic & Network Traffic Metadata RP1 Presentation By Henk van Doorn & Marko Spithoff Relevance Security Audits Company Detects (Attempted) Breach Accountability Of Actions 2

337 views • 22 slides
Vehicle Traffic Control Signal Heads Light Emitting Diode (LED) Circular Signal Testing What

Vehicle Traffic Control Signal Heads Light Emitting Diode (LED) Circular Signal Testing What

Vehicle Traffic Control Signal Heads Light Emitting Diode (LED) Circular Signal Testing What is an LED? LEDs are more closely related to computer technology than they are to traditional forms of lighting, as an LED is basically a

448 views • 26 slides
FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer

FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer

x January 2018 FloCon 2018 Tucson AZ Analysis of DNS Traffic on the Network EDGE, and In Motion. Fred Stringer 1 Key M Messages es Distributed Analysis (at the collection points) enables scale, flexibility and timely indicators.

364 views • 11 slides
A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut

A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut

A Network Calculus for Multi-Hop Fading Channels Hussein Al-Zubaidy J org Liebeherr Almut Burchard University of Toronto Performance Analysis of Multihop Wireless Network z Cross traffic Cross traffic Cross traffic Through traffic n

659 views • 26 slides
GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS

GR-INSPECTOR A SIGNAL ANALYSIS TOOLBOX FOR GNU RADIO MOTIVATION OF AUTOMATED SIGNAL ANALYSIS Spectrum Monitoring Explore real-world signals Easy access for beginners Live demodulation Batch processing of signals TASKS OF RECEIVING UNKNOWN

626 views • 16 slides
Detection of DNS Traffic Anomalies in Large Networks Milan ermk, Pavel eleda, Jan Vykopal

Detection of DNS Traffic Anomalies in Large Networks Milan ermk, Pavel eleda, Jan Vykopal

Detection of DNS Traffic Anomalies in Large Networks Milan ermk, Pavel eleda, Jan Vykopal {cermak|celeda|vykopal}@ics.muni.cz 20th Eunice Open European Summer School and Conference 2014 1-5 September 2014, Rennes, France Part I

897 views • 36 slides
Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The

Putting the P back in VPN: An Overlay Network to Resist Traffic Analysis Roger Dingledine The Free Haven Project http://freehaven.net/tor/ July 29, Black Hat 2004 Talk Outline Motivation: Why anonymous communication? Personal privacy

788 views • 57 slides
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu 1,2 , Roberto Perdisci 3 , Junjie Zhang 1 , and Wenke Lee 1 1 Georgia Tech 3 Damballa, Inc. 2 Texas A&M University 2008-7-31

549 views • 22 slides

More recommend