A Hierarchical Framework for Classifying and Assessing Internet Traffic Anomalies
نویسندگان
چکیده
We present ALARM (HierarchicAL AppRoach for AnoMaly Detection), a hierarchical approach for correlation and prioritization of alerts in distributed networks. The goal is to monitor, classify, correlate and assess a large number of alerts generated at spatially distributed sites on the Internet. The alerts correspond to anomalies and hence potential unknown threats. To facilitate our analysis, we hierarchically decompose the network. At each node of the hierarchy, we use multi-criteria decision making (MCDM), specifically the Electre Tri method, to assign a risk index to each anomaly to assess the threat level of an attack. To the best of our knowledge, this is the first application of MCDM methods to aggregate, correlate and prioritize alerts in distributed networks. The framework of MCDM is well-suited to the growing complexities encountered in alert aggregation and correlation. Each anomaly receives a different risk index for each attack profile that one may want to monitor, such as worms or denials of service. These risk indices are then spatiallyand time-correlated. We demonstrate our framework using historical worm and distributed denial of service (DDoS) data from the Abilene Internet2 Backbone Network. Index Terms network monitoring, network-level security and protection, performance monitors, anomaly detection, multi-criteria decision making
منابع مشابه
Traffic Scene Analysis using Hierarchical Sparse Topical Coding
Analyzing motion patterns in traffic videos can be exploited directly to generate high-level descriptions of the video contents. Such descriptions may further be employed in different traffic applications such as traffic phase detection and abnormal event detection. One of the most recent and successful unsupervised methods for complex traffic scene analysis is based on topic models. In this pa...
متن کاملClassifying Rules by In-out Traffic Direction to Avoid Security Policy Anomaly
The continuous growth of attacks in the Internet causes to generate a number of rules in security devices such as Intrusion Prevention Systems, firewalls, etc. Policy anomalies in security devices create security holes and prevent the system from determining quickly whether allow or deny a packet. Policy anomalies exist among the rules in multiple security devices as well as in a single securit...
متن کاملGraption: Graph-based P2P Traffic Classification at the Internet Backbone
Abstract—Monitoring network traffic and classifying applications are essential functions for network administrators. Current traffic classification methods can be grouped in three categories: (a) flow-based (e.g., packet sizing/timing features), (b) payloadbased, and (c) host-based. Methods from all three categories have limitations, especially when it comes to detecting new applications, and c...
متن کاملAnomaly Detections in Internet traffic Using Empirical Measures
58 Abstract— Introducing Internet traffic anomaly detection mechanism based on large deviations results for empirical measures. Using past traffic traces we characterize network traffic during various time-of-day intervals, assuming that it is anomaly-free. Throughout, we compare the two approaches presenting their advantages and disadvantages to identify and classify temporal network anomalies...
متن کاملContributions on detection and classification of internet traffic anomalies
The aim of this thesis is to develop a tool able of detecting, classifying and identifying trafficanomalies. Such occurrences are disturbing since they have potential to deviate networkoperations from their normal behaviour. Network Anomaly Detection Algorithm – NADA – isthe approach developed. The use of NADA and its accuracy are guaranteed by considering three axis of action: mult...
متن کامل