Presentation is loading. Please wait.

Presentation is loading. Please wait.

ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC.

Published byAbraham Cameron Modified over 8 years ago

Similar presentations

Presentation on theme: "ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC."— Presentation transcript:

1 ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC Paris Universitas 3 Intel Labs Berkeley 4 University of Southern California ACM SIGCOMM 2010

2 ASTUTE: Detecting a Different Class of Traffic Anomalies A Short-Timescale Uncorrelated-Traffic Equilibrium Comparing to Kalman Filter and Wavelet Analysis, ASTUTE can find anomalies with different features Kalman & Wavelet can detect:  few large flows ASTUTE can detect:  many small flows

3 2010/11/2 Speaker: Li-Ming Chen 3 Outline Motivation & Goal ASTUTE – An Equilibrium Model ASTUTE-based Anomaly Detection Experimental Methodology Performance Evaluation Conclusion & My Comments

4 2010/11/2 Speaker: Li-Ming Chen 4 Anomaly Detection Traffic anomalies (in large ISPs & enterprise networks) come from:  Malicious activities (e.g., DoS, port scan)  Misconfigurations/failures of network components (e.g., link failure, routing problem)  Legitimate events (e.g., large file transfers, flash crowds) Anomaly detection:  Build a statistical model of normal traffic  An anomaly is defined as deviation from the normal model

5 2010/11/2 Speaker: Li-Ming Chen 5 Motivation: Challenges in Anomaly Detection Anomaly Detection:  Pros: Can detect new anomalies!  Cons: Training takes times Training data is never guaranteed to be clean Periodical (re)training is required False alarm  Can we detect anomalies without having to learn what is normal?

6 2010/11/2 Speaker: Li-Ming Chen 6 Observation Network Traffic show Equilibrium:  When many flows are multiplexed on a non-saturated link, their volume changes over short timescales tend to cancel each other out   making the average change across flows close to ZERO The equilibrium property  Holds if the flows are independent  While, is violated by traffic changes caused by several, potentially small, correlated flows ~ traffic anomalies

7 2010/11/2 Speaker: Li-Ming Chen 7 Goal Propose a new approach to anomaly detection based on ASTUTE  A mathematical model to describe “A Short-Timescale Uncorrelated-Traffic Equilibrium” Advantages:  No training – computationally simple and immune to data- poisoning  Accurately detects a well-defined class of traffic anomalies  Theoretical guarantees on the false positive rates Evaluate the performance against Kalman filter and wavelet analysis

8 2010/11/2 Speaker: Li-Ming Chen 8 Outline Motivation & Goal ASTUTE – An Equilibrium Model ASTUTE-based Anomaly Detection Experimental Methodology Performance Evaluation Conclusion & My Comments

9 2010/11/2 Speaker: Li-Ming Chen 9 Equilibrium Model Flow: a set of packets that share the same values for a given set of traffic features (e.g., 5-tuple) Binning: use time bin to study the evolution of a flow Flow volume: number of packets in the flow during the corresponding bin Measure flow volume on a link for each time bin bin i bin i+1 … time … flow f starts at time bin s f flow f continued for d f bins flow f ’s volume of each time bin can be represented as a vector: x f,i x f,i+1

10 2010/11/2 Speaker: Li-Ming Chen 10 Equilibrium Model: Focus on Volume Changes of Flows bin i bin i+1 … time … flow f ’s volume of each time bin can be represented as a vector: x f,i x f,i+1 F: set of flows that are active in i or i+1 (volume change of f from i to i+1)

11 2010/11/2 Speaker: Li-Ming Chen 11 Consequences of the ASTUTE Model Assumptions:  (A1) Flow independence  (A2) Stationary Theorem 1 (consequences of the ASTUTE) : other Intuition: independent flows cancel each other out

12 2010/11/2 Speaker: Li-Ming Chen 12 Outline Motivation & Goal ASTUTE – An Equilibrium Model ASTUTE-based Anomaly Detection Experimental Methodology Performance Evaluation Conclusion & My Comments

13 2010/11/2 Speaker: Li-Ming Chen 13 ASTUTE-based Anomaly Detection Method Given:  A detection threshold K(p)  A pair of consecutive time bins Measure:  Set of active flows, F  Mean volume change,  Variance of volume changes, Compute AAV (ASTUTE Assessment Value) :  Flag an alarm if:  A toy example : ii+1 No Alarm (copy from author’s slides) 0 +2

14 2010/11/2 Speaker: Li-Ming Chen 14 Note: About Volume Changes Requirement:  Only consider traffic on non-saturated links, and using short-timescale bins Volume change (for F flows that are active at bin i):  Mean:  Standard deviation:

15 2010/11/2 Speaker: Li-Ming Chen 15 Note: About Detection Threshold For large F, has a (1-p) confidence interval given by the central limit theorem  If contains zero, then F satisfies ASTUTE  Otherwise, there is an ASTUTE anomaly at time bin i  smallest value of K(p) is 1-p conf. interval p/2 K(p)K(p)-K(p) 0 (defined as AAV) < 0> 0

16 2010/11/2 Speaker: Li-Ming Chen 16 Note: Situations that ASTUTE is Violated There are 2 possibilities that ASTUTE is violated:  (1) false positive Controlled by false positive rate p In a fraction p of the time bins, ASTUTE may be violated by normal traffic  (2) Flows violate the model’s assumption: independence & stationary Stationary:  Only over the timescale of a typical flow duration  Authors study which bin sizes show stationary behavior Independence:  Many flows increase/decrease their volumes at the same time!

17 2010/11/2 Speaker: Li-Ming Chen 17 Note: Validate Stationary Assumption (A2) Stationary:  Depends on timescale (bin size) In the trace:  Long scales: daily usage bias  Small scales: no bias!  We use short timescales to factor out violations of stationarity

18 2010/11/2 Speaker: Li-Ming Chen 18 Note: Validate “ Gaussianity ” of AAVs Check distribution similarity Study the impact of packet sampling rate

19 2010/11/2 Speaker: Li-Ming Chen 19 Outline Motivation & Goal ASTUTE – An Equilibrium Model ASTUTE-based Anomaly Detection Experimental Methodology  Competitors (or collaborator!?): Kalman & Wavelet  Inspect anomalies from traffic data and identify their root causes  Simulation through anomaly injection Performance Evaluation Conclusion & My Comments

20 2010/11/2 Speaker: Li-Ming Chen 20 Kalman & Wavelet (alternative anomaly detectors for comparison purpose) Kalman: a spatio-temporal detector  Learning spatial and temporal correlations to predict the next values  Its threshold parameter has similar semantics to that of ASTUTE (allowing a direct comparison)  [26] A. Soule, K. Salamatian, and N. Taft, “Combining Filtering and Statistical Methods for Anomaly Detection,” in Proc. IMC, 2005. Wavelet: a frequency-based detector  Decompose signals into low/medium/high frequency bands  The variance of the combined signal (medium & high freq. bands) represents anomalies  [2] P. Barford, J. Kline, D. Plonka, and A.Ron, “A Signal Analysis of Network Traffic Anomalies,” In Proc. IMW, 2002.

21 2010/11/2 Speaker: Li-Ming Chen 21 Kalman & Wavelet (cont ’ d) Targets of these two detectors:  (1) packet volume time series  (2) entropy time series of Src. IP  (3) entropy time series of Dst. IP  (4) entropy time series of Src. Port  (5) entropy time series of Dst. port

22 2010/11/2 Speaker: Li-Ming Chen 22 Dataset Flow traces from 3 different networks (between research institutions) (public Internet  European NRENs) (inside the enterprise network) Flow sampling: 0.1 0.01 NO

23 2010/11/2 Speaker: Li-Ming Chen 23 Manual Classification of Anomalies for Root Cause Analysis Goal:  To perform “root cause” analysis for the anomalies found by ASTUTE, Kalman, and Wavelet   need to know the root cause first Approach:  Use information provided by ASTUTE to help the process of manual classification of anomalies in the traffic trace Steps:  (1) correlated anomalous flows  (2) anomalous flow identification  (3) anomalous flow classification (by hand)

24 2010/11/2 Speaker: Li-Ming Chen 24 Results of Anomalous Flow Classification Take these as the criteria for labeling the anomalies found in the three traces

25 2010/11/2 Speaker: Li-Ming Chen 25 Simulation through Anomaly Injection Benefit:  Simulation helps understand how methods trade-off detection rates for false positives (ROC curves)  ps: for comparing Kalman and ASTUTE only Approach:  For end-host activity: build a set of benchmark anomalies and inject (recreate identified anomalies)  For outages: remove related traffic

26 2010/11/2 Speaker: Li-Ming Chen 26 Outline Motivation & Goal ASTUTE – An Equilibrium Model ASTUTE-based Anomaly Detection Experimental Methodology Performance Evaluation Conclusion & My Comments

27 2010/11/2 Speaker: Li-Ming Chen 27 Number of Anomalies and Anomaly Overlap Small overlap Kalman & Wavelet have more overlap among each other what are these anomalies??

28 2010/11/2 Speaker: Li-Ming Chen 28 Anomaly Types (Internet2) Detection capabilities are different

29 2010/11/2 Speaker: Li-Ming Chen 29 Anomaly Types (GEANT2 & Corporate) Users characteristics in different networks are different

30 2010/11/2 Speaker: Li-Ming Chen 30 Small Detector Overlap (map qualitative properties (types) of the anomalies to their quantitative properties (# flows and packets)) Kalman/Wavelet (few large flow) ASTUTE (several small flow) Less total volume

31 2010/11/2 Speaker: Li-Ming Chen 31 Detection Performance Type 1 Type 2 Type 3

32 2010/11/2 Speaker: Li-Ming Chen 32 Complementarity of ASTUTE & Kalman After combination, the performance is better!

33 2010/11/2 Speaker: Li-Ming Chen 33 Outline Motivation & Goal ASTUTE – An Equilibrium Model ASTUTE-based Anomaly Detection Experimental Methodology Performance Evaluation Conclusion & My Comments

34 2010/11/2 Speaker: Li-Ming Chen 34 Conclusion ASTUTE detects anomalies w/o learning the normal behavior  Computationally simple and immune to data-poisoning  Specializes on strongly correlated flows (several small flow)  Limitation: can not find anomalies involving a few large flows But those are easy to find!  ASTUTE and Kalman complement each other nicely  ASTUTE also provides information that is useful to perform root cause analysis

Download ppt "ASTUTE: Detecting a Different Class of Traffic Anomalies Fernando Silveira 1,2, Christophe Diot 1, Nina Taft 3, Ramesh Govindan 4 1 Technicolor 2 UPMC."

Similar presentations

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.

Characteristics of Network Traffic Flow Anomalies Paul Barford and David Plonka University of Wisconsin – Madison SIGCOMM IMW, 2001.
URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.

URCA: Pulling out Anomalies by their Root Causes Fernando Silveira and Christophe Diot.
ASSESSING RESPONSIVENESS OF HEALTH MEASUREMENTS. Link validity & reliability testing to purpose of the measure Some examples: In a diagnostic instrument,

ASSESSING RESPONSIVENESS OF HEALTH MEASUREMENTS. Link validity & reliability testing to purpose of the measure Some examples: In a diagnostic instrument,
Evaluating Classifiers

Evaluating Classifiers
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.

Sensor-Based Abnormal Human-Activity Detection Authors: Jie Yin, Qiang Yang, and Jeffrey Junfeng Pan Presenter: Raghu Rangan.
A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,

A Fast and Compact Method for Unveiling Significant Patterns in High-Speed Networks Tian Bu 1, Jin Cao 1, Aiyou Chen 1, Patrick P. C. Lee 2 Bell Labs,
Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.

Detecting DDoS Attacks on ISP Networks Ashwin Bharambe Carnegie Mellon University Joint work with: Aditya Akella, Mike Reiter and Srinivasan Seshan.
Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.

Detectability of Traffic Anomalies in Two Adjacent Networks Augustin Soule, Haakon Ringberg, Fernando Silveira, Jennifer Rexford, Christophe Diot.
TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.

TransAD: A Content Based Anomaly Detector Sharath Hiremagalore Advisor: Dr. Angelos Stavrou October 23, 2013.
A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.

A Flexible Model for Resource Management in Virtual Private Networks Presenter: Huang, Rigao Kang, Yuefang.
Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.

Nick Duffield, Patrick Haffner, Balachander Krishnamurthy, Haakon Ringberg Rule-Based Anomaly Detection on IP Flows.
Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.

Sensitivity of PCA for Traffic Anomaly Detection Evaluating the robustness of current best practices Haakon Ringberg 1, Augustin Soule 2, Jennifer Rexford.
1 In-Network PCA and Anomaly Detection Ling Huang* XuanLong Nguyen* Minos Garofalakis § Michael Jordan* Anthony Joseph* Nina Taft § *UC Berkeley § Intel.

1 In-Network PCA and Anomaly Detection Ling Huang* XuanLong Nguyen* Minos Garofalakis § Michael Jordan* Anthony Joseph* Nina Taft § *UC Berkeley § Intel.
Report on Intrusion Detection and Data Fusion By Ganesh Godavari.

Report on Intrusion Detection and Data Fusion By Ganesh Godavari.
1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.

1 Learning to Detect Objects in Images via a Sparse, Part-Based Representation S. Agarwal, A. Awan and D. Roth IEEE Transactions on Pattern Analysis and.
CS 8751 ML & KDDEvaluating Hypotheses1 Sample error, true error Confidence intervals for observed hypothesis error Estimators Binomial distribution, Normal.

CS 8751 ML & KDDEvaluating Hypotheses1 Sample error, true error Confidence intervals for observed hypothesis error Estimators Binomial distribution, Normal.
Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.

Unsupervised Intrusion Detection Using Clustering Approach Muhammet Kabukçu Sefa Kılıç Ferhat Kutlu Teoman Toraman 1/29.
Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.

Multi-Scale Analysis for Network Traffic Prediction and Anomaly Detection Ling Huang Joint work with Anthony Joseph and Nina Taft January, 2005.
A Nonstationary Poisson View of Internet Traffic T. Karagiannis, M. Molle, M. Faloutsos University of California, Riverside A. Broido University of California,

A Nonstationary Poisson View of Internet Traffic T. Karagiannis, M. Molle, M. Faloutsos University of California, Riverside A. Broido University of California,

Similar presentations

Ads by Google