Anomaly detection through signal processing

Signal processing techniques have found application in Network Intrusion Detection Systems because of their ability to detect novel intrusions and attacks, which cannot be achieved by signature-based approaches. It has been shown that network traffic presents several relevant statistical properties when analyzed at different levels (e.g. self-similarity, long range dependence, entropy variations, etc.). By profiling the properties of normal network traffic and modeling intrusions or unwanted traffic as anomalies, it is possible to detect the occurrence of such events within reasonable time so to activate reaction and response procedures. Determining the normal behaviour model, however, is a difficult task due to the presence of different trends in data, which might be influenced by the time of day, the day of week and seasonal variations. Approaches based on signal processing and on statistical analysis can be powerful in decomposing the signals related to network traffic, giving the ability to distinguish between trends, noise, and actual anomalous events. Wavelet-based approaches, maximum entropy estimation, principal component analysis techniques, and spectral analysis, are examples in this regard which have been investigated in the recent years by the research community [35, 36, 37, 38, 39, 40, 41]. Such techniques can be used not only to detect attacks and malicious events, but also to detect other relevant events which must be properly identified and treated to preserve the correct and secure functionality of a network, as bottlenecks, link failures, flashcrowds, etc.

A powerful analysis, synthesis, and detection tool in this field is represented by the wavelets. Indeed, time- and scale-localization abilities of the wavelet transform, make it ideally suited to detect irregular traffic patterns in traffic traces. In [41] Barford et al. applied wavelet analysis and synthesis techniques to evaluate the traffic signal filtered only at certain scales, and a thresholding technique is used to detect changes caused by flashcrowds, outages, attacks etc. In [42] the authors showed that network problems affecting dominant Round Trip Times can be detected from the analysis of the energy function of the wavelet coefficients at the corresponding scales. In [44] the authors exploited a property of some network misconfigurations that is reflected by the wavelet coefficients energy function calculated at a specific set of scales; while, in [43], spikes in the coefficient energy function were connected to Denial of Service attacks.

INTERSECTION partners are currently doing research on Wavelet-based and statistical approaches to network traffic anomaly detection [45]. A contribution to the INTERSECTION project will be the study and design of an automated anomaly detection system able to detect anomalous events by analyzing time series representing the traffic volume. The combination of more traditional statistical approaches with Wavelet-based and other signal processing techniques into a single, multi-stage, system will be investigated. The use of different techniques will allow improving the reliability of the system in terms of false alarm and missed detection percentages. Moreover, a challenging task will be the construction of appropriate techniques and algorithms to make the signal processing-based system able to adaptively model normal network traffic conditions, independently of the network link monitored and of changes in traffic trends.

The research activity will also focus on the design requirements to build anomaly detection systems capable to work in a real-time fashion, to improve network resilience.

Finally, part of the efforts will be allocated to add classification capabilities to the detection system, so to identify and report different kinds of network anomalous events.

References

[35] J. Brutlag, “Aberrant behavior detection in time series for network monitoring”, USENIX Fourteenth System Administration Conference LISA XIV, Dec. 2000

[36] V. A. Siris, F. Papagalou, “Application of Anomaly Detection Algorithms for Detecting SYN Flooding Attacks”, IEEE GLOBECOM 2004, Nov. 2004, pp. 2050-2054

[37] R. B. Blazek, H. Kim, B. Rozovskii, A. Tartakovsky, “A Novel Approach to Detection of Denial-of-Service Attacks via Adaptive Sequential and Batch-Sequential Change-Point Detection Methods”, IEEE Workshop Information Assurance and Security, 2001, pp. 220-226

[38] Y. Gu, A. McCallum, D. Towsley, “Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation”, IMC 2005

[39] A. Lakhina, M. Crovella, C. Diot, “Diagnosing Network-Wide Traffic Anomalies”, ACM SIGCOMM 2004

[40] C.-M. Cheng, H.T.Kung, K.-S. Tan, “Use of spectral analysis in defense against DoS attacks”, IEEE GLOBECOM 2002, pp. 2143-2148

[41] P. Barford, J. Kline, D. Plonka, A. Ron, “A signal analysis of network traffic anomalies”,ACM SIGCOMM InternetMeasurement Workshop 2002

[42] P. Huang, A. Feldmann, W. Willinger, “A non-intrusive, wavelet-based approach to detecting network performance problems”, ACM SIGCOMM Internet Measurement Workshop, Nov. 2001

[43] L. Li, G. Lee, “DDos attack detection and wavelets”, IEEE ICCCN’03, Oct. 2003, pp. 421-427

[44] A. Magnaghi, T. Hamada, T. Katsuyama, “A Wavelet-Based Framework for Proactive Detection of Network Misconfigurations”, ACM SIGCOMM’04 Workshops, 2004

[45] A. Dainotti, A. Pescapè, G. Ventre, “Wavelet-based Detection of DoS Attacks", 2006 IEEE GLOBECOM - Nov 2006, San Francisco (CA, USA)

Back to Project Detail