On Mitigating Sampling-Induced Accuracy Loss in Traffic Anomaly Detection Systems

Sardar Ali, Irfan Ul Haq, Sajjad Rizvi, Naurin Rasheed, Unum Sarfraz, Syed Ali Khayam, and Fauzan Mirza
ACM SIGCOMM Computer Communication Review (CCR)
Volume 40, Issue 3, July 2010, ACM New York, NY, USA.

Abstract: Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet’s path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates.

To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university’s network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples.

PDF CODE DATASET

BibTex:
@article{ali2010mitigating,
  title={On mitigating sampling-induced accuracy loss in traffic anomaly detection systems},
  author={Ali, Sardar and Haq, Irfan Ul and Rizvi, Sajjad and Rasheed, Naurin and Sarfraz, Unum and Khayam, Syed Ali and Mirza, Fauzan},
  journal={ACM SIGCOMM Computer Communication Review},
  volume={40},
  number={3},
  pages={4–16},
  year={2010},
  publisher={ACM}
}
Advertisements

What is the Impact of P2P Traffic on Anomaly Detection?

Irfan Ul Haq, Sardar Ali, Hassan Khan, and Syed Ali Khayam
13th International Symposium on Recent Advances in Intrusion Detection (RAID)
September 15-17, 2010, Ottawa, Canada.

Acceptance Rate = 23.1%

Abstract: Recent studies estimate that peer-to-peer (p2p) traffic comprises 40-70% of today’s Internet traffic. Surprisingly, the impact of p2p traffic on anomaly detection has not been investigated. In this paper, we collect and use a labeled dataset containing diverse network anomalies (portscans, TCP floods, UDP floods, at varying rates) and p2p traffic (encrypted and unencrypted with BitTorrent, Vuze, Flashget, µTorrent, Deluge, BitComet, Halite, eDonkey and Kademlia clients) to empirically quantify the impact of p2p traffic on anomaly detection. Four prominent anomaly detectors (TRW-CB, Rate Limiting, Maximum Entropy  and NETAD) are evaluated on this dataset.

Our results reveal that: 1) p2p traffic results in up to 30% decrease in detection rate and up to 45% increase in false positive rate; 2) due to a partial overlap of traffic behaviors, p2p traffic inadvertently provides an effective evasion cover for high- and low-rate attacks; and 3) training an anomaly detector on p2p traffic, instead of improving accuracy, introduces a significant accuracy degradation for the anomaly detector. Based on these results, we argue that only p2p traffic filtering can provide a pragmatic, yet short-term, solution to this problem. We incorporate two prominent p2p traffic classifiers (OpenDPI and Karagiannis’ Payload Classifier(KPC)) as pre-processors into the anomaly detectors and show that the existing non-proprietary p2p traffic classifiers do not have sufficient accuracies to mitigate the negative impacts of p2p traffic on anomaly detection.

Given the premise that p2p traffic is here to stay, our work demonstrates the need to rethink the classical anomaly detection design philosophy with a focus on performing anomaly detection in the presence of p2p traffic. We make our dataset publicly available for evaluation of future anomaly detectors that are designed to operate with p2p traffic.

PDF SLIDES

BibTex:
@inproceedings{haq2010impact,

  title = {What is the impact of p2p traffic on anomaly detection?},
  author={Haq, Irfan Ul and Ali, Sardar and Khan, Hassan and Khayam, Syed Ali},
  booktitle={Recent Advances in Intrusion Detection},
  pages={1–17},
  year={2010},
  organization={Springer}
}