skip to main content
article

Statistical techniques for detecting traffic anomalies through packet header data

Published: 01 June 2008 Publication History

Abstract

This paper proposes a traffic anomaly detector, operated in postmortem and in real-time, by passively monitoring packet headers of traffic. The frequent attacks on network infrastructure, using various forms of denial of service attacks, have led to an increased need for developing techniques for analyzing network traffic. If efficient analysis tools were available, it could become possible to detect the attacks, anomalies and to take action to contain the attacks appropriately before they have had time to propagate across the network. In this paper, we suggest a technique for traffic anomaly detection based on analyzing correlation of destination IP addresses in outgoing traffic at an egress router. This address correlation data are transformed using discrete wavelet transform for effective detection of anomalies through statistical analysis. Results from trace-driven evaluation suggest that proposed approach could provide an effective means of detecting anomalies close to the source. We also present a multidimensional indicator using the correlation of port numbers and the number of flows as a means of detecting anomalies.

References

[1]
A. Ramanathan, "WADeS: A tool for distributed denial of service attack detection" M.S. thesis, TAMU-ECE-2002-02, Aug. 2002.
[2]
NLANR measurement and operations analysis team, NLANR Network Traffic Packet Header Traces, Aug. 2002 {Online}. Available: http:// www.pma.nlanr.net/Traces/
[3]
P. Barford et al., "A signal analysis of network traffic anomalies," in ACM SIGCOMM Internet Measurement Workshop, Nov. 2002.
[4]
T. M. Gil and M. Poletto, "MULTOPS: A data-structure for bandwidth attack detection," in USENIX Security Symp., Aug. 2001.
[5]
J. Mirkovic, G. Prier, and P. Reiher, "Attacking DDoS at the source," in IEEE Int. Conf. Network Protocols, Nov. 2002.
[6]
E. Kohler, J. Li, V. Paxson, and S. Shenker, "Observed structure of addresses in IP traffic," in Proc. ACM IMW, Nov. 2002.
[7]
A. Garg and A. L. N. Reddy, "Mitigation of DoS attacks through QoS regulation," in Proc. IWQOS, May 2002.
[8]
Smitha, I. Kim, and A. L. N. Reddy, "Identifying long term high rate flows at a router," in Proc. High Performance Computing, Dec. 2001.
[9]
I. Kim, "Analyzing network traces to identify long-term high rate flows," M.S. thesis, TAMU-ECE-2001-02, May 2001.
[10]
Y. Zhang, L. Breslau, V. Paxson, and S. Shenker, "On the characteristics and origins of internet flow rates," in ACM SIGCOMM, Aug. 2002.
[11]
R. Mahajan et al., "Controlling high bandwidth aggregates in the network," ACM Comput. Commun. Rev., vol. 32, no. 3, Jul. 2002.
[12]
J. Ioannidis and S. M. Bellovin, "Implementing pushback: Router-based defense against DDoS attacks," in Proc. Network and Distributed System Security Symp., Feb. 2002.
[13]
C. Estan and G. Varghese, "New directions in traffic measurement and accounting," in ACM SIGCOMM, Aug. 2002.
[14]
A. Medina et al., "Traffic matrix estimation: Existing techniques and new directions," in ACM SIGCOMM, Aug. 2002.
[15]
K. C. Claffy, H. Braun, and G. Polyzos, "A parameterizable methodology for Internet traffic flow profiling," IEEE J. Sel. Areas Commun., vol. 13, no. 8, pp. 1481-1494, Oct. 1995.
[16]
C. S. Burrus, R. A. Gopinath, and H. Guo, Introduction to Wavelets and Wavelet Transforms. Englewood Cliffs, NJ: Prentice Hall, 1998.
[17]
I. H. Witten, A. Moffat, and T. C. Bell, Managing Gigabytes--Compressing and Indexing Documents and Images, 2nd ed. San Mateo, CA: Morgan Kaufmann, 1999, pp. 129-141.
[18]
MatLab Software, Release 12.1. The MathWorks, Inc., 2001.
[19]
"CERT Advisory CA-2003-04 MS-SQL Server Worm," CERT Coordination Ctr. (CERT/CC), Jan. 2003 {Online}. Available: http://www. cert.org/advisories/CA-2003-04.html
[20]
I. Daubechie, "Ten lectures on wavelets," in CBMS-NSF Regional Conference Series in Applied Mathematics, vol. 61. Philadelphia, PA: SIAM, 1992.
[21]
S. Mallat, "A theory for multiresolution signal decomposition: The wavelet representation," IEEE Trans. Pattern Anal. Machine Intell., vol. 11, no. 7, pp. 674-693, 1989.
[22]
G. W. Wornell, Signal Processing With Fractals: A Wavelet Based Approach . Englewood Cliffs, NJ: Prentice Hall, 1996.
[23]
A. Feldmann, A. Gilbert, P. Huang, and W. Willinger, "Dynamics of IP traffic: A study of the role of variability and the impact of control," ACM Comput. Commun. Rev., vol. 29, no. 4, pp. 301-313, 1999.
[24]
D. Moore et al., "Internet quarantine: Requirements for containing selfpropagating code," in IEEE INFOCOM, Apr. 2003.
[25]
Packeteer, "PacketShaper Express," white paper, 2003, http://www. packeteer.com/resources/prod-sol/ Xpress_Whitepaper.pdf.
[26]
S. Floyd, S. Bellovin, J. Ioannidis, K. Kompella, R. Mahajan, and V. Paxson, "Pushback messages for controlling aggregates in the network," IETF Internet draft, work in progress, Jul. 2001.
[27]
S. Savage, D. Whetherall, A. Karlin, and T. Anderson, "Practical network support for IP traceback," in ACM SIGCOMM, 2000.
[28]
P. Huang, A. Feldmann, and W. Willinger, "A non-intrusive, wavelet-based approach to detecting network performance problems," in ACM Internet Measurement Workshop, Nov. 2001.
[29]
D. B. Percival and A. T. Walden, Wavelet Methods for Time Series Analysis. Cambridge, U.K.: Cambridge Univ. Press, 2000, ch. 4.
[30]
C.-M. Cheng, H. T. Kung, and K.-S. Tan, "Use of spectral analysis in defense against DoS attacks," in IEEE Globecom, 2002.
[31]
KREONet2 (Korea Research Environment Open NETwork2). {On-line}. Available: http://www.kreonet2.net
[32]
S. S. Kim, A. L. N. Reddy, and M. Vannucci, "Detecting traffic anomalies using discrete wavelet transform," in Proc. Int. Conf. Information Networking, 2004, pp. 1375-1384.
[33]
S. S. Kim, A. L. N. Reddy, and M. Vannucci, "Detecting traffic anomalies through aggregate analysis of packet header data," in Proc. Networking 2004, May 2004, pp. 1047-1059, LNCS 3042.
[34]
E. R. Dougherty, Random Processes for Image and Signal Processing . New York: SPIE/IEEE Press, 1999, p. 61.
[35]
J. Kilpi and I. Norros, "Testing the Gaussian approximation of aggregate traffic," in ACM Internet Measurement Workshop, Nov. 2002.
[36]
K. Papagiannaki et al., "Long-term forecasting of internet backbone traffic: Observations and initial models," in IEEE INFOCOM, 2003.
[37]
A. Kuzmanovic and E. Knightly, "Low-rate TCP-targeted denial of service attacks," in ACM SIGCOMM, Karlsruhe, Germany, Aug. 2003.
[38]
A. Hussein, J. Heidemann, and C. Papadopoulus, "A framework for classifying denial of service attacks," in ACM SIGCOMM, Aug. 2003.
[39]
C. Estan, S. Savage, and G. Varghese, "Automatically inferring patterns of resource consumption in network traffic," in ACM SIGCOMM, 2003.
[40]
D. Plonka, "FlowScan: A network traffic flow reporting and visualization tool," in USENIX LISA 2000, New Orleans, LA, Dec. 2000.
[41]
M. Roesch, "Snort--lightweight intusion detection for networks," in USENIX LISA 1999, Seattle, WA, Nov. 1999.
[42]
D. Tong and A. L. N. Reddy, "QOS enhancement with partial state," in Proc. IWQOS, Jun. 1999.
[43]
A. Lakhina, M. Crovella, and C. Diot, "Diagnosing network-wide traffic anomalies," in ACM SIGCOMM, Sep. 2004.

Cited By

View all
  • (2022)Discover the Hidden Attack Path in Multiple Domain Cyberspace Based on Reinforcement LearningScientific Programming10.1155/2022/60084472022Online publication date: 1-Jan-2022
  • (2021)Intrusion Detection Methods in Communication-Based Train Control Systems Based on Relative Entropy and Trust Evaluation2021 IEEE International Intelligent Transportation Systems Conference (ITSC)10.1109/ITSC48978.2021.9564592(3939-3944)Online publication date: 19-Sep-2021
  • (2021)Denial of service detection using dynamic time warpingInternational Journal of Network Management10.1002/nem.215931:6Online publication date: 2-Nov-2021
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image IEEE/ACM Transactions on Networking
IEEE/ACM Transactions on Networking  Volume 16, Issue 3
June 2008
249 pages

Publisher

IEEE Press

Publication History

Published: 01 June 2008
Published in TON Volume 16, Issue 3

Author Tags

  1. egress filtering
  2. network attack
  3. packet header
  4. real-time network anomaly detection
  5. statistical analysis of network traffic
  6. time series of address correlation
  7. wavelet-based transform

Qualifiers

  • Article

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)3
  • Downloads (Last 6 weeks)0
Reflects downloads up to 20 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Discover the Hidden Attack Path in Multiple Domain Cyberspace Based on Reinforcement LearningScientific Programming10.1155/2022/60084472022Online publication date: 1-Jan-2022
  • (2021)Intrusion Detection Methods in Communication-Based Train Control Systems Based on Relative Entropy and Trust Evaluation2021 IEEE International Intelligent Transportation Systems Conference (ITSC)10.1109/ITSC48978.2021.9564592(3939-3944)Online publication date: 19-Sep-2021
  • (2021)Denial of service detection using dynamic time warpingInternational Journal of Network Management10.1002/nem.215931:6Online publication date: 2-Nov-2021
  • (2020)A robust anomaly detection method using a constant false alarm rate approachMultimedia Tools and Applications10.1007/s11042-020-08653-879:17-18(12727-12750)Online publication date: 1-May-2020
  • (2018)Advance DDOS detection and mitigation technique for securing cloudInternational Journal of Computational Science and Engineering10.1504/IJCSE.2018.09176516:3(303-310)Online publication date: 1-Jan-2018
  • (2015)Detection of Denial-of-Service Attacks Based on Computer Vision TechniquesIEEE Transactions on Computers10.1109/TC.2014.237521864:9(2519-2533)Online publication date: 1-Sep-2015
  • (2014)A transform domain-based anomaly detection approach to network-wide trafficJournal of Network and Computer Applications10.5555/2773807.277406140:C(292-306)Online publication date: 1-Apr-2014
  • (2014)Benford's law behavior of Internet trafficJournal of Network and Computer Applications10.5555/2773807.277404140:C(194-205)Online publication date: 1-Apr-2014
  • (2013)Thwarting DDoS attacks in grid using information divergenceFuture Generation Computer Systems10.1016/j.future.2011.10.01229:1(429-441)Online publication date: 1-Jan-2013
  • (2011)Witnessing distributed denial-of-service traffic from an attacker's networkProceedings of the 7th International Conference on Network and Services Management10.5555/2147671.2147710(241-247)Online publication date: 24-Oct-2011
  • Show More Cited By

View Options

Login options

Full Access

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media