A Novel Histogram-based Network Anomaly Detection

Christian Callegari, Michele Pagano, Stefano Giordano, Fabrizio Berizzi

Abstract

The ability of capturing unknown attacks is an attractive feature of anomaly-based intrusion detection and it is not surprising that research on such a topic represents one of the most promising directions in the field of network security. In this work we consider two different traffic descriptors and evaluate their ability in capturing different kinds of anomalies, taking into account three different measures of similarity in order to discriminate between the normal network behaviour and the presence of anomalies. An extensive performance analysis, carried out over the publicly available MAWILab dataset, has highlighted that a proper choice of the relevant traffic descriptor and the similarity measure can be particularly efficient in the case of unknown attacks, i.e. those attacks that cannot be detected by standard misuse-based systems.

References

  1. Callegari, C., Casella, A., Giordano, S., Pagano, M., and Pepe, T. (2013a). Sketch-based multidimensional IDS: A new approach for network anomaly detection. In IEEE Conference on Communications and Network Security, CNS 2013, National Harbor, MD, USA, October 14-16, 2013, pages 350-358.
  2. Callegari, C., Coluccia, A., D'Alconzo, A., Ellens, W., Giordano, S., Mandjes, M., Pagano, M., Pepe, T., Ricciato, F., and Zuraniewski, P. (2013b). A methodological overview on anomaly detection. In Data Traffic Monitoring and Analysis, pages 148-183. Springer Berlin Heidelberg.
  3. Callegari, C., Gazzarrini, L., Giordano, S., Pagano, M., and Pepe, T. (2010a). When randomness improves the anomaly detection performance. In Proceedings of 3rd International Symposium on Applied Sciences in Biomedical and Communication Technologies (ISABEL).
  4. Callegari, C., Giordano, S., Pagano, M., and Pepe, T. (2010b). On the use of sketches and wavelet analysis for network anomaly detection. In IWCMC 7810: Proceedings of the 6th International Wireless Communications and Mobile Computing Conference, pages 331-335, New York, NY, USA. ACM.
  5. Callegari, C., Giordano, S., Pagano, M., and Pepe, T. (2011). Forecasting the Distribution of Network Traffic for Anomlay Detection. In TRUSTCOM 7811 Proceedings of the 2011 IEEE 10th International Conference on Trust, Security and Privacy in Computing and Communications, pages 173-180.
  6. Claise, B. (2004). Cisco Systems NetFlow Services Export Version 9. RFC 3954 (Informational).
  7. Cormode, G. and Muthukrishnan, S. (2005). An improved data stream summary: the count-min sketch and its applications. Journal of Algorithms, 55(1):58 - 75.
  8. Dewaele, G., Fukuda, K., Borgnat, P., Abry, P., and Cho, K. (2007). Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. In LSAD 7807: Proceedings of the 2007 workshop on Large scale attack defense, pages 145- 152, New York, NY, USA. ACM.
  9. Fontugne, R., Borgnat, P., Abry, P., and Fukuda, K. (2010). MAWILab: Combining Diverse Anomaly Detectors for Automated Anomaly Labeling and Performance Benchmarking. ACM CoNEXT.
  10. Kind, A., Stoecklin, M. P., and Dimitropoulos, X. (2009). Histogram-Based Traffic Anomaly Detection. IEEE Transactions on Network and Service Management, 6(2).
  11. Kolmogorov, A. and Fomin, S. (1999). Elements of the Theory of Functions and Functional Analysis. Number v. 1 in Dover books on mathematics. Dover.
  12. Kullback, S. and Leibler, R. A. (1951). On information and sufficiency. Ann. Math. Statist., 22(1):79-86.
  13. Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature. In ACM SIGCOMM.
  14. Lin, J. (1991). Divergence measures based on the shannon entropy. IEEE Transactions on Information Theory, 37(1):145-151.
  15. Pukkawanna, S. and Fukuda, K. (2010). Combining sketch and wavelet models for anomaly detection. In Intelligent Computer Communication and Processing (ICCP), 2010 IEEE International Conference on, pages 313 -319.
  16. Salem, O., Vaton, S., and Gravey, A. (2010). A scalable, efficient and informative approach for anomaly-based Intrusion Detection Systems: theory and practice. International Journal of Network Management.
  17. Schweller, R., Gupta, A., Parsons, E., and Chen, Y. (2004a). Reversible sketches for efficient and accurate change detection over network data streams. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, IMC 7804, pages 207-212, New York, NY, USA. ACM.
  18. Schweller, R., Gupta, A., Parsons, E., and Chen, Y. (2004b). Reversible sketches for efficient and accurate change detection over network data streams. In Proceedings of the 4th ACM SIGCOMM conference on Internet measurement, IMC 7804, pages 207-212, New York, NY, USA. ACM.
  19. Subhabrata, B. K., Krishnamurthy, E., Sen, S., Zhang, Y., and Chen, Y. (2003). Sketch-based change detection: Methods, evaluation, and applications. In In Internet Measurement Conference, pages 234-247.
  20. Thottan, M., Liu, G., and Ji, C. (2010). Anomaly detection approaches for communication networks. In Cormode, G., Thottan, M., and Sammes, A. J., editors, Algorithms for Next Generation Networks, Computer Communications and Networks, pages 239-261. Springer London.
Download


Paper Citation


in Harvard Style

Callegari C., Pagano M., Giordano S. and Berizzi F. (2016). A Novel Histogram-based Network Anomaly Detection . In - DCCI, (ICETE 2016) ISBN , pages 0-0. DOI: 10.5220/0006013401030110


in Bibtex Style

@conference{dcci16,
author={Christian Callegari and Michele Pagano and Stefano Giordano and Fabrizio Berizzi},
title={A Novel Histogram-based Network Anomaly Detection},
booktitle={ - DCCI, (ICETE 2016)},
year={2016},
pages={},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006013401030110},
isbn={},
}


in EndNote Style

TY - CONF
JO - - DCCI, (ICETE 2016)
TI - A Novel Histogram-based Network Anomaly Detection
SN -
AU - Callegari C.
AU - Pagano M.
AU - Giordano S.
AU - Berizzi F.
PY - 2016
SP - 0
EP - 0
DO - 10.5220/0006013401030110