an evaluation of effect of packet sampling on anomaly
play

An Evaluation of Effect of Packet Sampling on Anomaly Detection - PowerPoint PPT Presentation

Oct 23, 2023 •116 likes •331 views

An Evaluation of Effect of Packet Sampling on Anomaly Detection Method Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 4 25 Background Anomaly Detection:

  1. “An Evaluation of Effect of Packet Sampling on Anomaly Detection Method” Takuya Motodate April 25, 2010 The 3rd CAIDA-WIDE-CASFI Joint Measurement Workshop @Osaka 1 2010 年 4 月 25 日日曜日

  2. Background • Anomaly Detection: Signature-based,Statistical one • Statistical anomaly detection assumes a full-captured dump. • Traffic of backbone network become broader, so, characteristics of it is grasped with sampled traffic. • We have to use sampled-traffic as input of anomaly detection. What should we do? 2 2010 年 4 月 25 日日曜日

  3. Problem Statement 1. Suitable Packet-Sampling Method is not Known. 2. Suitable Anomaly Detection Method is not Known. Because of inadequate evaluations. 3 2010 年 4 月 25 日日曜日

  4. Purpose • Evaluate an effect to result of anomaly detection methods with various sampling methods and common traffic data. • Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures as a Anomaly Detection Method. • 5 Packet-Sampling Methods. • MAWI Dataset as Traffic Data. 4 2010 年 4 月 25 日日曜日

  5. 1.Divide a traffic into some subtraffics. 2. Estimate α and β of each subtraffic, each timescale. 3. Anomalous subtraffic has deviate α or β. Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  6. (1)Hashing: Key is SrcIPAddr 1.Divide a traffic into some subtraffics. 2. Estimate α and β of each subtraffic, each timescale. 3. Anomalous subtraffic has deviate α or β. Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  7. (1)Hashing: Key is SrcIPAddr (2) Making Histgram, and 20ms 5ms 80ms 1.Divide a traffic into some subtraffics. 2. Estimate α and β of each subtraffic, each timescale. 3. Anomalous subtraffic has deviate α or β. Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  8. 5ms 1.Divide a traffic into some subtraffics. 3. Anomalous subtraffic has deviate α or β. (1)Hashing: Key is SrcIPAddr (2) Making Histgram, and 20ms 5ms 80ms 2. Estimate α and β of each subtraffic, each timescale. 20ms 80ms Estimating Parameters of Gamma Distribution Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  9. 80ms 5ms (3)Detecting anomaly of Gamma Distribution Estimating Parameters 2. Estimate α and β of each subtraffic, each timescale. 20ms 80ms 1.Divide a traffic into some subtraffics. 5ms 20ms (2) Making Histgram, and SrcIPAddr (1)Hashing: Key is 3. Anomalous subtraffic has deviate α or β. Anomalies Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  10. 80ms 5ms (3)Detecting anomaly of Gamma Distribution Estimating Parameters 2. Estimate α and β of each subtraffic, each timescale. 20ms 80ms 1.Divide a traffic into some subtraffics. 5ms 20ms (2) Making Histgram, and SrcIPAddr (1)Hashing: Key is 3. Anomalous subtraffic has deviate α or β. Anomalies Sketch and Non Gaussian Multi-Resolution Statistical Detection Procedures [Dewaele et al. 07] 5 2010 年 4 月 25 日日曜日

  11. Packet-Sampling Methodologies [Claffy et al. 93] Stratified Simple Systematic Random Random Packet-based Packet-based Packet-based Systematic Stratified Random Simple Random Random Time-based Time-based Stratified Time-based Systematic Random Packet-based : A. Systematic Sampling Picking up a packet per N packets B. Strati  ed Random Sampling Time-based : Picking up a packet per M msec C. Simple Random Sampling Packet Bucket: Packet-based: ex. 100 packets Time-based: ex. 1 msec 6 2010 年 4 月 25 日日曜日

  12. Overview of Evaluation Anomaly Result Detection MAWI Traffic Data Compare Anomaly Packet Result Sampling Detection 7 2010 年 4 月 25 日日曜日

  13. Evaluation • I apply this evaluation to MAWI Traffic Data at 4days. - A Wednesday in December from 2004 to 2007, sample-Point B or F. Dec 15, 2004 Dec 14, 2005 Dec 13, 2006 Dec 12, 2007 8 2010 年 4 月 25 日日曜日

  14. Numbers of Detected Hosts with each Sampling-Rate Brief Observation: 1. Detected hosts decreased as sampling-rate decreased. 2. Rapid increase is observed 2004 with time-based sampling. 9 2010 年 4 月 25 日日曜日

  15. Parameter Tuning Target Hosts Target Hosts after Parameter Tuning Trying to make target hosts fixed. 10 2010 年 4 月 25 日日曜日

  16. Numbers of Detected Hosts with each Sampling-Rate after normalization Brief Observation: 1. Different behavior between packet-based and time-based in high sampling-rate 2. Rapid Increase number of Simple-Random in low sampling- rate. 11 2010 年 4 月 25 日日曜日

  17. Undergoing Things • Analysis a reason rapid increase of anomalies with simple-random in low sampling-rate, and difference between result with time-based and packet-based. • Cross-Validation: with Port-based Categorization. • Comparison with another Anomaly Detection Method. 12 2010 年 4 月 25 日日曜日

  18. Summary • Necessary for an evaluation in using anomaly detection with sampled-traffic. • Evaluating a “Sketch and Non Gaussian Multi-Resolution” with 5 sampling methods. • Performance Difference between Time- based and Packet-based sampling, simple- random sampling. 13 2010 年 4 月 25 日日曜日

  19. Fin. Thank you for Listening. 14 2010 年 4 月 25 日日曜日

  20. Distribution of a number of arrival packets 2004/12/15(Wed) 14:00-14:15 1200 Original Packet-based Sampling Time-based Sampling Original 1000 Arrival Packets(pkt) 800 Packet-based 600 Time-based 400 200 0 900 200 300 400 500 600 700 800 0 100 Time(sec) Pakcet-based Systematic : 1/4 pkt/pkt Time-based Systematic: 1/4.4 pkt/pkt 15 2010 年 4 月 25 日日曜日

Recommend

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence

A Case for Packet Sampling A Case for Packet Sampling Tanja Zseby, zseby@fokus.fhg.de Competence Center for Autonomic Networking Technologies Motivation: FloCon FloCon 2005 2005 Motivation: FloCon05 participants: We dont believe in

448 views • 11 slides
Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for

Sampling and Filtering Techniques Sampling and Filtering Techniques for IP Packet Selection for IP Packet Selection draft-ietf ietf- -psamp psamp-sample-tech-00.txt -sample-tech-00.txt draft- Tanja Zseby, FhG FOKUS Maurizio Molina, NEC

600 views • 12 slides
An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar,

An Empirical Evaluation of Entropy- based Traffic Anomaly Detection George Nychis, Vyas Sekar, David Andersen, Hyong Kim, Hui Zhang Carnegie Mellon University Entropy-based Anomaly Detection Goal: detect abnormal behavior scan activity,

447 views • 34 slides
1 Sampling Sampling Question to you: which samples do you select for your Important to take

1 Sampling Sampling Question to you: which samples do you select for your Important to take

Overview Sampling Effect estimation Hardy-Weinberg Equilibrium Linkage Disequilibrium Statistics and analytical issues: Haplotypes SNP and haplotype Linda Broer (l.broer@erasmusmc.nl) Genetic Laboratory Department of

538 views • 11 slides
The Effect of Sampling Effort on the Mean of Range Size Distributions Megan Ruffley Ivn Jimnez

The Effect of Sampling Effort on the Mean of Range Size Distributions Megan Ruffley Ivn Jimnez

The Effect of Sampling Effort on the Mean of Range Size Distributions Megan Ruffley Ivn Jimnez Talk Outline Introduction Working Hypothesis Methods Study System Quantification of Sampling Effort Computer Simulation

779 views • 45 slides
2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate

2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate

1 The Value of Good Sampling 2 Introduction Topics To Cover Review of Sampler Design How is sampling inaccurate bias / random Detrimental effect to operations Effect on Mass Balancing (example) Combined OSA and Sampler

634 views • 26 slides
Students t -Distribution The t -Distribution, t -Tests, & Measures of Effect Size Sampling

Students t -Distribution The t -Distribution, t -Tests, & Measures of Effect Size Sampling

Students t -Distribution The t -Distribution, t -Tests, & Measures of Effect Size Sampling Distributions Redux Chapter 7 opens with a return to the concept of sampling distributions from chapter 4 Sampling distributions of the

872 views • 83 slides
Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The

Evaluation of Anomaly Detection Method based on Pattern Recognition Romain Fontugne The Graduate University for Advanced Studies Yosuke Himura The University of Tokyo Kensuke Fukuda National Institute of Informatics CNRS-Wide

443 views • 18 slides
Packet Radio Networks Packet Radio Networks are multiaccess networks in which not all nodes can

Packet Radio Networks Packet Radio Networks are multiaccess networks in which not all nodes can

Packet Radio Networks Packet Radio Networks are multiaccess networks in which not all nodes can hear the transmission of all other nodes, this feature is characteristic for radio communication We will focus on the effect of partial connectivity

882 views • 28 slides
Evaluating the Effect of Research and Innovation Policy on Small Business Start- ups: An

Evaluating the Effect of Research and Innovation Policy on Small Business Start- ups: An

Evaluating the Effect of Research and Innovation Policy on Small Business Start- ups: An Inflow-Sampling Approach* American Evaluation Association (AEA) Research Conference Anaheim, CA November 2-5, 2011 Reynold V. Galope Andrew Young School

320 views • 17 slides
What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining

DataCamp Anomaly Detection in R ANOMALY DETECTION IN R What is an anomaly? Alastair Rushworth Data Scientist DataCamp Anomaly Detection in R Defining the term anomaly Anomaly: a data point or collection of data points that do not follow the

870 views • 21 slides
The effect of sampling frequency and front-end bandwidth on the DLL code tracking performance Vi

The effect of sampling frequency and front-end bandwidth on the DLL code tracking performance Vi

The effect of sampling frequency and front-end bandwidth on the DLL code tracking performance Vi Vinh T T r ran, Thuan Nguyen, Nagaraj Shivaramaiah, Andrew Dempster Contents GNSS receiver model Local code generator and residual code

500 views • 22 slides
Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator

Introduction to Packet Tracer What is Packet Tracer? Packet Tracer is a protocol simulator developed by Dennis Frezzo and his team at Cisco Systems. Packet Tracer (PT) is a powerful and dynamic tool that displays the various protocols used in

419 views • 17 slides
Evaluation and Bias Removal of Evaluation and Bias Removal of Multi- -Look Effect on Look

Evaluation and Bias Removal of Evaluation and Bias Removal of Multi- -Look Effect on Look

POLINSAR 2009 WORKSHOP POLINSAR 2009 WORKSHOP 26-29 January 2009 ESA-ESRIN, Frascati (ROME), Italy Evaluation and Bias Removal of Evaluation and Bias Removal of Multi- -Look Effect on Look Effect on Multi /A (H/ Entropy/Alpha

351 views • 33 slides
Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier)

Anomaly Detection of Trajectories Junier B. Oliva Anomaly Detection An anomaly (or outlier) in a dataset is an instance that is abnormal or unlikely based on the rest of the dataset If the instances in the dataset are labeled as

760 views • 19 slides
Sampling and Sample Size Rohit Naimpally J-PAL Course Overview 1. What is Evaluation? 2.

Sampling and Sample Size Rohit Naimpally J-PAL Course Overview 1. What is Evaluation? 2.

Sampling and Sample Size Rohit Naimpally J-PAL Course Overview 1. What is Evaluation? 2. Outcomes, Impact, and Indicators 3. Why Randomize and Common Critiques 4. How to Randomize 5. Sampling and Sample Size 6. Threats and Analysis 7.

1.41k views • 127 slides
What is the strengths and weakness of these sampling methods? Sampling Strengths /

What is the strengths and weakness of these sampling methods? Sampling Strengths /

Session 6. Sampling and Sample size Sampling: What are the different sampling methods used? In PIA: Convenience sampling Purposive sampling Random sampling What is the strengths and weakness of these sampling methods? Sampling

219 views • 5 slides
Sampling Distributions Sampling Distribution of the Mean & Hypothesis Testing Sampling

Sampling Distributions Sampling Distribution of the Mean & Hypothesis Testing Sampling

Sampling Distributions Sampling Distribution of the Mean & Hypothesis Testing Sampling Remember sampling? Part 1 of definition Selecting a subset of the population to create a sample Generally random samplingusing

975 views • 55 slides
A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four spacetime dimensions, an SU(2) gauge theory with a single multiplet of fermions that transform under SU(2) in the spin 1/2 representation is

820 views • 43 slides
1 Objectives Analysis Overview Investigate effect of packet marking function on its

1 Objectives Analysis Overview Investigate effect of packet marking function on its

On Packet Marking Function of Active Contents Queue Management Mechanism: Should I t Be Linear, Concave, or Convex? Introduction RED (Random Early Detection) Hiroyuki Ohsaki and Research Objectives Masayuki Murata Analysis

60 views • 4 slides
Evaluation of DNA Mixtures Accounting for Sampling Variability Yuk-Ka Chung Dept. of Statistics

Evaluation of DNA Mixtures Accounting for Sampling Variability Yuk-Ka Chung Dept. of Statistics

Evaluation of DNA Mixtures Accounting for Sampling Variability Yuk-Ka Chung Dept. of Statistics and Actuarial Science University of Hong Kong yukchung@hku.hk Joint work: Y. Q. Hu, D. G. Zhu, W. K. Fung 1/26 2/26 Conclusion and future

629 views • 26 slides
Sampling Effect on Performance Prediction of Configurable Systems : A Case Study Juliana Alves

Sampling Effect on Performance Prediction of Configurable Systems : A Case Study Juliana Alves

Sampling Effect on Performance Prediction of Configurable Systems : A Case Study Juliana Alves Pereira, Mathieu Acher, Hugo Martin, Jean-Marc Jezequel 1 Configurable systems Pros Adaptive Lots of options Cons Lots of

491 views • 17 slides
for Development and Evaluation of OSI Field Sampling Methods Khris B. Olsen, Brian D. Milbrath,

for Development and Evaluation of OSI Field Sampling Methods Khris B. Olsen, Brian D. Milbrath,

Measurement of Radioxenon and Argon-37 Released into a Nuclear Explosion Cavity for Development and Evaluation of OSI Field Sampling Methods Khris B. Olsen, Brian D. Milbrath, James C. Hayes, Derek A. Haas, Paul H. Humble, Randy R. Kirkham,

282 views • 16 slides

More recommend