Name
Abstract | ||
|---|---|---|
Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates. To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university's network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples. |
Year | DOI | Venue |
|---|---|---|
2010 | 10.1145/1823844.1823846 | Computer Communication Review |
Keywords | Field | DocType |
anomaly detection,packet score,random packet sample,denial-of-service dos,samples packet,next hop node,high malicious sampling rate,higher malicious packet,traffic anomaly detection system,sampling-induced accuracy loss,packet sampling,portscan,sampling budget,random sampling,use packet,higher accuracy,internet traffic,real time,intrusion detection,denial of service | Anomaly detection,Traffic analysis,Computer security,Computer science,Network packet,Computer network,Sampling (statistics),Detector,Intrusion detection system,Internet traffic,Binary number | Journal |
Volume | Issue | ISSN |
40 | 3 | 0146-4833 |
Citations | PageRank | References |
13 | 0.68 | 20 |
Authors | ||
7 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Sardar Ali | 1 | 23 | 2.38 |
| Irfan Ul Haq | 2 | 148 | 11.88 |
| Sajjad Rizvi | 3 | 68 | 6.11 |
| Naurin Rasheed | 4 | 13 | 0.68 |
| Unum Sarfraz | 5 | 86 | 3.42 |
| Syed Ali Khayam | 6 | 450 | 33.86 |
| Fauzan Mirza | 7 | 85 | 5.32 |