Affiliation:
1. National University of Sciences & Technology (NUST), Islamabad, Pakistan
Abstract
Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates. To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university's network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples.
Publisher
Association for Computing Machinery (ACM)
Subject
Computer Networks and Communications,Software
Reference35 articles.
1. Mining anomalies using traffic feature distributions
2. Cisco Anomaly Guard Module Homepage www.cisco.com/en/US/products/ps6235/. Cisco Anomaly Guard Module Homepage www.cisco.com/en/US/products/ps6235/.
3. Arbor Networks Peakflow-X Homepage http://www.arbornetworks.com/en/peakflow-x.html. Arbor Networks Peakflow-X Homepage http://www.arbornetworks.com/en/peakflow-x.html.
4. Endace NinjaBox Homepage http://www.endace.com/ninjabox.html. Endace NinjaBox Homepage http://www.endace.com/ninjabox.html.
Cited by
15 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. BOTA: Explainable IoT Malware Detection in Large Networks;IEEE Internet of Things Journal;2023-05-15
2. Intrusion Detection System for SDN-enabled IoT Networks using Machine Learning Techniques;2021 IEEE 25th International Enterprise Distributed Object Computing Workshop (EDOCW);2021-10
3. Unified smart home resource access along with authentication using Blockchain technology;Global Transitions Proceedings;2021-06
4. Hierarchical Clustering Based Network Traffic Data Reduction for Improving Suspicious Flow Detection;2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE);2018-08
5. Noff: A Novel Extendible Parallel Library for High-Performance Network Traffic Monitoring;2017 24th Asia-Pacific Software Engineering Conference (APSEC);2017-12