Sketch based Anomaly Detection, Identification and Performance Evaluation

Abstract : An anomaly detection procedure is defined and its statistical performance are carefully quantified. It is based on a non Gaussian modeling of the marginal distributions of random projections (sketches) of traffic aggregated jointly at different levels (multiresolution). To evaluate false negative vs. false positive in a controlled, reproducible and documented framework, we apply the detection procedure to traffic time-series from our self-made anomaly database. It is obtained by performing DDoS-type attacks, using real-world attack tools, over a real operational network. Also, we illustrate that combining sketches enables us to identify the target IP destination address and faulty packets hence opening the track to attack mitigation.
Complete list of metadatas

Cited literature [11 references]  Display  Hide  Download

https://hal-ens-lyon.archives-ouvertes.fr/ensl-00175474
Contributor : Pierre Borgnat <>
Submitted on : Friday, September 28, 2007 - 12:27:49 PM
Last modification on : Tuesday, November 19, 2019 - 2:41:31 AM
Long-term archiving on : Thursday, April 8, 2010 - 10:17:15 PM

File

saint07_abry_SketchAnomalyDete...
Files produced by the author(s)

Identifiers

  • HAL Id : ensl-00175474, version 1

Collections

Citation

Patrice Abry, Pierre Borgnat, Guillaume Dewaele. Sketch based Anomaly Detection, Identification and Performance Evaluation. SAINT 2007 International Symposium on Applications and the Internet, Workshop on Internet Measurement Technology and its Applications to Building Next Generation Internet, IEEE-CS and IPSJ, Jan 2007, Hiroshima, Japan. ⟨ensl-00175474⟩

Share

Metrics

Record views

173

Files downloads

107