ACM Portal
  Subscribe (Full Service)    Register (Limited Service, Free)    Login
  Search:   The ACM Digital Library   The Guide
  
ACM Home Page
Please provide us with feedback. Feedback
Characterization of network-wide anomalies in traffic flows
Full text PdfPdf (126 KB)
Source Internet Measurement Conference archive
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement table of contents
Taormina, Sicily, Italy
SESSION: Detection table of contents
Pages: 201 - 206  
Year of Publication: 2004
ISBN:1-58113-821-0
Authors
Anukool Lakhina  Boston University
Mark Crovella  Boston University
Christiphe Diot  Intel Research, Cambridge, UK
Sponsors
SIGCOMM: ACM Special Interest Group on Data Communication
ACM: Association for Computing Machinery
Publisher
ACM  New York, NY, USA
Bibliometrics
Downloads (6 Weeks): 20,   Downloads (12 Months): 145,   Citation Count: 17
Additional Information:

abstract   references   cited by   index terms   collaborative colleagues  

Tools and Actions: Request Permissions Request Permissions    Review this Article  
DOI Bookmark: Use this link to bookmark this Article: http://doi.acm.org/10.1145/1028788.1028813
What is a DOI?

ABSTRACT

Detecting and understanding anomalies in IP networks is an open and ill-defined problem. Toward this end, we have recently proposed the subspace method for anomaly diagnosis. In this paper we present the first large-scale exploration of the power of the subspace method when applied to flow traffic. An important aspect of this approach is that it fuses information from flow measurements taken throughout a network. We apply the subspace method to three different types of sampled flow traffic in a large academic network: multivariate timeseries of byte counts, packet counts, and IP-flow counts. We show that each traffic type brings into focus a different set of anomalies via the subspace method. We illustrate and classify the set of anomalies detected. We find that almost all of the anomalies detected represent events of interest to network operators. Furthermore, the anomalies span a remarkably wide spectrum of event types, including denial of service attacks (single-source and distributed), flash crowds, port scanning, downstream traffic engineering, high-rate flows, worm propagation, and network outage.


REFERENCES

Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.

 
1
Abilene Network Operations Center Weekly Reports. At http://www.abilene.iu.edu/routages.cgi.
2
Sharad Agarwal , Chen-Nee Chuah , Supratik Bhattacharyya , Christophe Diot, The impact of BGP dynamics on intra-domain traffic, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 10-14, 2004, New York, NY, USA
3
Paul Barford , Jeffery Kline , David Plonka , Amos Ron, A signal analysis of network traffic anomalies, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, November 06-08, 2002, Marseille, France  [doi>10.1145/637201.637210]
 
4
Cisco NetFlow. At www.cisco.com/warp/public/732/Tech/netflow/.
 
5
Deloader Worm Description. At http://www.f-secure.com/v-descs/deloader.shtml.
6
Nick Duffield , Carsten Lund , Mikkel Thorup, Estimating flow distributions from sampled flow statistics, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863992]
 
7
R. Dunia and S. J. Qin. Multi-dimensional Fault Diagnosis Using a Subspace Approach. In American Control Conference, 1997.
 
8
Anja Feldmann , Albert Greenberg , Carsten Lund , Nick Reingold , Jennifer Rexford , Fred True, Deriving traffic demands for operational IP networks: methodology and experience, IEEE/ACM Transactions on Networking (TON), v.9 n.3, p.265-280, June 2001  [doi>10.1109/90.929850]
9
Alefiya Hussain , John Heidemann , Christos Papadopoulos, A framework for classifying denial of service attacks, Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications, August 25-29, 2003, Karlsruhe, Germany  [doi>10.1145/863955.863968]
10
Jaeyeon Jung , Balachander Krishnamurthy , Michael Rabinovich, Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites, Proceedings of the 11th international conference on World Wide Web, May 07-11, 2002, Honolulu, Hawaii, USA  [doi>10.1145/511446.511485]
 
11
J. E. Jackson. A User's Guide to Principal Components. John Wiley, New York, NY, 1991.
 
12
J. E. Jackson and G. S. Mudholkar. Control Procedures for Residuals Associated with Principal Component Analysis. Technometrics, pages 341--349, 1979.
 
13
Juniper Traffic Sampling. At www.juniper.net/techpubs/software/junos/junos60/swconfig60-policy/html/sampling overview.html.
 
14
M.-S. Kim, H.-J. Kang, S.-C. Hung, S.-H. Chung, and J. W. Hong. A Flow-based Method for Abnormal Network Traffic Detection. In IEEE/IFIP Network Operations and Management Symposium, Seoul, April 2004.
 
15
A. Lakhina, M. Crovella, and C. Diot. Characterization of Network-Wide Anomalies in Traffic Flows. Technical Report BUCS-2004-020, Boston University, 2004.
16
Anukool Lakhina , Mark Crovella , Christophe Diot, Diagnosing network-wide traffic anomalies, Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications, August 30-September 03, 2004, Portland, Oregon, USA
17
Anukool Lakhina , Konstantina Papagiannaki , Mark Crovella , Christophe Diot , Eric D. Kolaczyk , Nina Taft, Structural analysis of network traffic flows, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 10-14, 2004, New York, NY, USA
 
18
A. Markopoulou, G. Iannaccone, S. Bhattacharyya, C.-N. Chuah, and C. Diot. Characterization of Failures in an IP Backbone. In IEEE INFOCOM, Hong Kong, April 2004.
19
Jelena Mirkovic , Peter Reiher, A taxonomy of DDoS attack and DDoS defense mechanisms, ACM SIGCOMM Computer Communication Review, v.34 n.2, April 2004  [doi>10.1145/997150.997156]
 
20
Pathdiag: Network Path Diagnostic Tools. At http://www.psc.edu/ web100/pathdiag/.
 
21
S. Sarvotham, R. Riedi, and R. Baraniuk. Network Traffic Analysis and Modeling at the Connection Level. In Internet Measurement Workshop, San Francisco, November 2001.
 
22
SLAC Internet End-to-end Performance Monitoring (IEPM-BW project). At http://www-iepm.slac.stanford.edu/bw/.
23
Renata Teixeira , Aman Shaikh , Tim Griffin , Jennifer Rexford, Dynamics of hot-potato routing in IP networks, Proceedings of the joint international conference on Measurement and modeling of computer systems, June 10-14, 2004, New York, NY, USA
24
Nicholas Weaver , Vern Paxson , Stuart Staniford , Robert Cunningham, A taxonomy of computer worms, Proceedings of the 2003 ACM workshop on Rapid malcode, October 27-27, 2003, Washington, DC, USA  [doi>10.1145/948187.948190]
25
Vinod Yegneswaran , Paul Barford , Johannes Ullrich, Internet intrusions: global characteristics and prevalence, Proceedings of the 2003 ACM SIGMETRICS international conference on Measurement and modeling of computer systems, June 11-14, 2003, San Diego, CA, USA

CITED BY  17
Anukool Lakhina , Mark Crovella , Christophe Diot, Exploring the subspace method for network-wide anomaly diagnosis, Proceedings of the ACM SIGCOMM workshop on Network troubleshooting: research, theory and operations practice meet malfunctioning reality, September 03-03, 2004, Portland, Oregon, USA
Min Cai , Kai Hwang , Yu-Kwong Kwok , Shanshan Song , Yu Chen, Collaborative Internet Worm Containment, IEEE Security and Privacy, v.3 n.3, p.25-33, May 2005
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Profiling internet backbone traffic: behavior models and applications, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
Anukool Lakhina , Mark Crovella , Christophe Diot, Mining anomalies using traffic feature distributions, ACM SIGCOMM Computer Communication Review, v.35 n.4, October 2005
Neal Patwari , Alfred O. Hero, III , Adam Pacholski, Manifold learning visualization of network traffic data, Proceeding of the 2005 ACM SIGCOMM workshop on Mining network data, August 26-26, 2005, Philadelphia, Pennsylvania, USA
Matthew Roughan , Yin Zhang, Secure distributed data-mining and its application to large-scale network measurements, ACM SIGCOMM Computer Communication Review, v.36 n.1, January 2006
John Mark Agosta , Carlos Diuk-Wasser , Jaideep Chandrashekar , Carl Livadas, An adaptive anomaly detector for worm detection, Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques, p.1-6, April 10, 2007, Cambridge, MA
Yin Zhang , Zihui Ge , Albert Greenberg , Matthew Roughan, Network anomography, Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, p.30-30, October 19-21, 2005, Berkeley, CA
Jian Yuan , Kevin Mills, Monitoring the Macroscopic Effect of DDoS Flooding Attacks, IEEE Transactions on Dependable and Secure Computing, v.2 n.4, p.324-335, October 2005
Haakon Ringberg , Augustin Soule , Jennifer Rexford , Christophe Diot, Sensitivity of PCA for traffic anomaly detection, ACM SIGMETRICS Performance Evaluation Review, v.35 n.1, June 2007
DongJin Lee , Nevil Brownlee, Passive measurement of one-way and two-way flow lifetimes, ACM SIGCOMM Computer Communication Review, v.37 n.3, July 2007
Bruno Bogaz Zarpelão , Leonardo De Souza Mendes , Mario Lemes Proença, Jr., Anomaly Detection Aiming Pro-Active Management of Computer Network Based on Digital Signature of Network Segment, Journal of Network and Systems Management, v.15 n.2, p.267-283, June 2007
Harsha V. Madhyastha , Balachander Krishnamurthy, A generic language for application-specific flow sampling, ACM SIGCOMM Computer Communication Review, v.38 n.2, April 2008
Kuai Xu , Zhi-Li Zhang , Supratik Bhattacharyya, Internet traffic behavior profiling for network security monitoring, IEEE/ACM Transactions on Networking (TON), v.16 n.6, p.1241-1252, December 2008
Yu Jin , Esam Sharafuddin , Zhi-Li Zhang, Unveiling core network-wide communication patterns through application traffic activity graph decomposition, Proceedings of the eleventh international joint conference on Measurement and modeling of computer systems, June 15-19, 2009, Seattle, WA, USA
Li Zonglin , Hu Guangmin , Yao Xingmiao , Yang Dan, Detecting distributed network traffic anomaly with network-wide correlation analysis, EURASIP Journal on Advances in Signal Processing, 2009, p.1-11, January 2009
Ioannis Ch. Paschalidis , Georgios Smaragdakis, Spatio-temporal network anomaly detection by assessing deviations of empirical measures, IEEE/ACM Transactions on Networking (TON), v.17 n.3, p.685-697, June 2009

INDEX TERMS

Primary Classification:
  C. Computer Systems Organization
  C.2 COMPUTER-COMMUNICATION NETWORKS
      C.2.3 Network Operations


General Terms:
Measurement, Performance, Security


Keywords:
anomaly detection, network traffic analysis

Collaborative Colleagues:
Anukool Lakhina: colleagues
Mark Crovella: colleagues
Christiphe Diot: colleagues

The ACM Portal is published by the Association for Computing Machinery. Copyright © 2009 ACM, Inc.
Terms of Usage   Privacy Policy   Code of Ethics   Contact Us

Useful downloads: Adobe Acrobat    QuickTime    Windows Media Player    Real Player