A study on detecting network anomalies using sampled flow statistics

Ryoichi Kawahara, Tatsuya Mori, Noriaki Kamiyama, Shigeaki Harada, Shoichiro Asano

Research output: Chapter in Book/Report/Conference proceedingConference contribution

14 Citations (Scopus)

Abstract

We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.

Original languageEnglish
Title of host publicationSAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
DOIs
Publication statusPublished - 2007
Externally publishedYes
Event2007 International Symposium on Applications and the Internet - Workshops, SAINT-W - Hiroshima
Duration: 2007 Jan 152007 Jan 19

Other

Other2007 International Symposium on Applications and the Internet - Workshops, SAINT-W
CityHiroshima
Period07/1/1507/1/19

Fingerprint

Statistics
Sampling

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Computer Science Applications
  • Software

Cite this

Kawahara, R., Mori, T., Kamiyama, N., Harada, S., & Asano, S. (2007). A study on detecting network anomalies using sampled flow statistics. In SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W [4090152] https://doi.org/10.1109/SAINT-W.2007.17

A study on detecting network anomalies using sampled flow statistics. / Kawahara, Ryoichi; Mori, Tatsuya; Kamiyama, Noriaki; Harada, Shigeaki; Asano, Shoichiro.

SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W. 2007. 4090152.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Kawahara, R, Mori, T, Kamiyama, N, Harada, S & Asano, S 2007, A study on detecting network anomalies using sampled flow statistics. in SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W., 4090152, 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W, Hiroshima, 07/1/15. https://doi.org/10.1109/SAINT-W.2007.17
Kawahara R, Mori T, Kamiyama N, Harada S, Asano S. A study on detecting network anomalies using sampled flow statistics. In SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W. 2007. 4090152 https://doi.org/10.1109/SAINT-W.2007.17
Kawahara, Ryoichi ; Mori, Tatsuya ; Kamiyama, Noriaki ; Harada, Shigeaki ; Asano, Shoichiro. / A study on detecting network anomalies using sampled flow statistics. SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W. 2007.
@inproceedings{9ea6f311d60447dfa485128a797d0868,
title = "A study on detecting network anomalies using sampled flow statistics",
abstract = "We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.",
author = "Ryoichi Kawahara and Tatsuya Mori and Noriaki Kamiyama and Shigeaki Harada and Shoichiro Asano",
year = "2007",
doi = "10.1109/SAINT-W.2007.17",
language = "English",
isbn = "0769527574",
booktitle = "SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W",

}

TY - GEN

T1 - A study on detecting network anomalies using sampled flow statistics

AU - Kawahara, Ryoichi

AU - Mori, Tatsuya

AU - Kamiyama, Noriaki

AU - Harada, Shigeaki

AU - Asano, Shoichiro

PY - 2007

Y1 - 2007

N2 - We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.

AB - We investigate how to detect network anomalies using flow statistics obtained through packet sampling. First, we show that network anomalies generating a huge number of small flows, such as network scans or SYN flooding, become difficult to detect when we execute packet sampling. This is because such flows are more unlikely to be sampled than normal flows. As a solution to this problem, we then show that spatially partitioning the monitored traffic into groups and analyzing the traffic of individual groups can increase the detectability of such anomalies: We also show the effectiveness of the partitioning method using network measurement data.

UR - http://www.scopus.com/inward/record.url?scp=46349085574&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=46349085574&partnerID=8YFLogxK

U2 - 10.1109/SAINT-W.2007.17

DO - 10.1109/SAINT-W.2007.17

M3 - Conference contribution

SN - 0769527574

SN - 9780769527574

BT - SAINT - 2007 International Symposium on Applications and the Internet - Workshops, SAINT-W

ER -