KSII Transactions on Internet and Information Systems (TIIS)

Korean Society for Internet Information (한국인터넷정보학회)
권호 표지
DOI QR코드

DOI QR Code

Efficient Abnormal Traffic Detection Software Architecture for a Seamless Network

  • Lee, Dong-Cheul (Department of Electronics Computer Engineering, Hanyang University) ;
  • Rhee, Byung-Ho (Department of Electronics Computer Engineering, Hanyang University)
  • Received : 2010.11.10
  • Accepted : 2011.02.05
  • Published : 2011.02.28
Download PDF
⟨ Previous Next ⟩

Abstract

To provide a seamless network to customers, Internet service providers must promptly detect and control abnormal traffic. One approach is to shorten the traffic information measurement cycle. However, performance degradation is inevitable if traffic measurement servers merely shorten the cycle and measure all traffic. This paper presents a software architecture that can measure traffic more frequently without degrading performance by estimating the level of abnormal traffic. The algorithm in the architecture estimates the values of the interface group objects in MIB by using the IP group objects thereby reducing the number of measurements and the size of measured data. We evaluated this architecture on part of Internet service provider's IP network. When the traffic was measured 5 times more than before, the CPU usage and TPS of the proposed scheme was 7% and 41% less than that of the original scheme while the false positive rate and false negative rate were 3.2% and 2.7% respectively.

Keywords

References

  1. Y. Tu and H.-W. Shen, "Visualizing changes of hierarchical data using treemaps," IEEE Trans. on Visualization and Computer Graphics, vol. 13, no. 6, pp. 1286-1293, 2007. https://doi.org/10.1109/TVCG.2007.70529
  2. C.T. Paximadis and A.V. Vasilakos, "A two-level threshold-based traffic control scheme for ATM networks," in Proc. of 16th Conf. on Local Computer Networks, 1991.
  3. P. Chan, M. Mahoney and M. Arshad, "Learning rules and clusters for anomaly detection in network traffic," Managing Cyber Threats: Issues, Approaches and Challenges, 2003.
  4. K. Xu, Z. Zhang and S. Bhattacharyya, "Profiling internet backbone traffic: behavior models and applications," in Proc. of Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications, pp. 169-180, 2005.
  5. D. Moore, G. Voelker and S. Savage, "Inferring Internet Denial-of-Service Activity," in Proc. of USENIX Security Symposium, 2001.
  6. H. Ringberg, A. Soule, J. Rexford and C. Diot, "Sensitivity of PCA for traffic anomaly detection," in Proc. of ACM SIGMETRICS Int. Conf. on Measurement and Modeling of Computer Systems, pp. 109-120, 2007.
  7. P. Huang, A. Feldmann and W. Willinger, "A non-intrusive, wavelet-based approach to detecting network performance problems," in Proc. of Internet Measurement Workshop, 2001.
  8. S.S. Kim, A. L. N. Reddy and M. Vannucci, "Detecting traffic anomalies using discrete wavelet transform," in Proc. of Int. Conf. Information Networking, pp. 1375-1384, 2004.
  9. J. Schonwalder, "Characterization of SNMP MIB modules," in Proc. of IFIP/IEEE Int. Symposium on Integrated Network Management(IM), 2005.
  10. J.B.D. Cabrera, L. Lewis, X. Qin, C. Gutierrez, W. Lee and R.K. Mehra, "Proactive intrusion detection and SNMP-based security management: new experiments and validation," in Proc. of IM, 2003.
  11. J. Li and C. Manikopoulos, "Early statistical anomaly intrusion detection of DOS attacks using MIB traffic parameters," in Proc. of IEEE Information Assurance Workshop, pp. 53-59, 2003.
  12. R, Puttini, M. Hanashiro, F. Miziara, R.D. Sousa, L.J. García-Villalba and C.J. Barenco, "On the anomaly intrusion detection in mobile ad hoc network environments," in Proc. of PWC, LNCS, vol. 4217, pp. 182-193, 2006.
  13. K.H. Ramah, H. Ayari and F. Kamoun, "Traffic anomaly detection and characterization in the tunisian national university network," in Proc. of Networking, LNCS, vol. 3979, pp. 136-147, 2006.
  14. D. Lee, B Park, K. Kim and J. Lee, "Fast traffic anomalies detection using SNMP MIB correlation analysis," in Proc. of Int. Conf. on Advanced Communication Technology, pp. 166-170, 2009.
  15. Y. Yemini, "The OSI Network Management Model," IEEE Communications Magazine, pp. 20-29, May 1993.
  16. T. Pao and P. Wang, "NetFlow based intrusion detection system," in Proc. of IEEE Int. Conf. on Networking, Sensing and Control, vol.2, 2004.
  17. M. Meyer, "Decentralizing Control and Intelligence in Network Management," Integrated Network Management IV, Sethi et al., Eds., Chapman and Hall, 1995.
  18. S. Sengupta, V. Kumar and D. Saha, "Switched optical backbone for cost-effective scalable core IP networks," IEEE Communications Magazine, vol. 41, no. 6, pp. 60-70, June 2003.
  19. Y. Gottlieb and L. Peterson, "A comparative study of extensible routers," in Proc. of IEEE Open Architectures and Network Programming, pp. 51-62, June 2002.
  20. H. Fan, J. Liu, Y. Wu and C. Cheung, "On optimal hyperuniversal and rearrangeable switch box designs," IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems, vol. 22, no. 12, pp. 1637-1649, December 2003. https://doi.org/10.1109/TCAD.2003.819430
  21. Y.P. Zhou and C.L. Tan, "Learning-based scientific chart recognition," in Proc. of 4th IAPR Int. Workshop on Graphics Recognition, pp. 482-492, 2001.
  22. C. Lewis, "Cisco TCP/IP Routing Professional Reference (second edition)," ISBN 0070411301, McGraw-Hill Companies, 1998.
  23. T. Thomas, "Juniper Networks Reference Guide: JUNOS Routing, Configuration, and Architecture, chapter Juniper Networks Router Architecture," ISBN 0201775921, Addison Wesley Professional, January 2003.
  24. Hitachi Ltd., "Routers, Switches GS/GR Series: Hitachi," http://www.hitachi.co.jp/Prod/comp/network/index-j.htm, 2010.
  25. S. Shah and M. Yip, "Extreme Networks' Ethernet Automatic Protection Switching (EAPS) Version 1," IETF RFC 3619, October 2003.
  26. J. Edwards, "Building the optical-networking infrastructure," IEEE Computer, vol. 33, no. 3, pp. 20-23, March 2000. https://doi.org/10.1109/MC.2000.825690
  27. W. Cho, S. Kim and H. Yeh, "Introduction to the 'uAuto' Project - Ubiquitous Autonomic Computing and Network," in Proc. of the Second IEEE Workshop on Software Technologies for Future Embedded and Ubiquitous Systems, 2004.
  28. ECI Telecom Ltd., "Korea's largest telco offers secure, high-speed Internet Services via ECI Telecom," http://www.ecitele.com/Products/BroadbandServiceRouting/ST-series/Pages/default.aspx, 2005.
  29. S. Mane, J. Srivastava, H. Yin and J. Vayghan, "Estimation of false negatives in classification," in Proc. of IEEE Int. Conf. on Data Mining, pp. 475-478, November 2004.
  30. M. Shimamura and K. Kono, "Using Attack Information to Reduce False Positives in Network IDS," in Proc. of 11th IEEE Symposium on Computers and Communications, pp. 386-393, June 2006.
  31. R. Kong, "The Simulation for Network Mobility Based on NS2," in Proc. of Int. Conf. on Computer Science and Software Engineering, vol. 4, pp. 1070-1074, December 2008.
  32. J. Dorleus, R. Holweck, Z. Ren, H. Li, H. Cui and J. Medina, "Modeling and Simulation of Fading and Pathloss in OPNET for Range Communications," in Proc. of IEEE Radio and Wireless Symposium, pp. 407-410, January 2007.