Browse > Article
http://dx.doi.org/10.3745/KIPSTC.2005.12C.1.019

A Real-Time Network Traffic Anomaly Detection Scheme Using NetFlow Data  

Kang Koo-Hong (서원대학교 컴퓨터정보통신공학부)
Jang Jong-Soo (한국전자통신연구원 네트워크보안그룹)
Kim Ki-Young (한국전자통신연구원 네트워크보안그룹)
Publication Information
The KIPS Transactions:PartC / v.12C, no.1, 2005 , pp. 19-28 More about this Journal
Abstract
Recently, it has been sharply increased the interests to detect the network traffic anomalies to help protect the computer network from unknown attacks. In this paper, we propose a new anomaly detection scheme using the simple linear regression analysis for the exported LetFlow data, such as bits per second and flows per second, from a border router at a campus network. In order to verify the proposed scheme, we apply it to a real campus network and compare the results with the Holt-Winters seasonal algorithm. In particular, we integrate it into the RRDtooi for detecting the anomalies in real time.
Keywords
Intrusion Detection; Anomaly; Security;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Paul Barford and David Plonka, 'Characteristics of Network Traffic Flow Anomalies,' in Proceedings of the ACM Internet Measurement Workshop, Nov., 2001   DOI
2 Paul Barford, Jeffery Kline, David Plonka, and Amos Ron, 'A Signal Analysis of Network Traffic Anomalies,' in Proceedings of the ACM Internet Measurement Workshop, Nov. 2002   DOI
3 Jake D. Brutlag, 'Aberrant Behavior Detection in Time Series for Network Monitoring,' in Proceedings of the USENIX Fourteenth system Administration Conference LISA XIV, 2000
4 Peter J. Brockwell, and Richard A. Davis, Introduction to Time Series and Forecasting, Springer-Verlag, 1996
5 D. C. Montgomery, and E. A. Peck, Introduction to Linear Regression Analysis, 2nd Ed., John Wiley & Sons, Inc., 1992
6 D. Plonka, 'Flowscan : A network traffic flow reporting and visualization tool,' in Proceedings of the USENIX Fourteenth system Administration Conference LISA XIV, 2000
7 Cisco, NetFlow Services Solutions Guide, Cisco White Paper, 2001
8 T. Oetiker, The RRDtool manuals, http://people.ee.ethz.ch/~oetiker/webtools/rrdtool/manual/index.html
9 F. Gong, 'Next Generation Intrusion Detection System (IDS),' IntruVert Networks Report, 2002
10 Mattew V. Mahoney, and Philip K. Chan, 'Learning Nonstationay Models of Normal Network Traffic for Detecting Novel Attacks,' in Proceedings of SIGKDD'02, 2002
11 S. Forrest, S.A. Hofmeyr, A. Somayaji, and T.A. Longstaff, 'A Sense of Self for Unix Processing,' Proc. of IEEE Symp. Computer Security and Privacy, pp.120-128, May 1996   DOI
12 Eleazar Eskin. 'Anomaly Detection over Noisy Data using Learned Probability Distributions,' in Proceedings of ICML-2000, 2000
13 K. McCloghrie, and M. Rose, 'Management information base for network management of tcp/ip based internets : Mib 2,' RFC1213, 1991
14 M. Roesch, 'Snort Lightweight Intrusion Detection for Networks,' Proc. USENIX LISA'99 pp.101-109, 1999
15 H. Debar, M. Dacier, and A. Wespi, 'Towards a taxonomy of intrusion-detection systems,' Computer Networks, Vol.31, No.8, pp.805-822, 1990   DOI   ScienceOn
16 J. R. Allen, The Cricket reference guide, http://cricket.sourceforge.net/support/doc/reference.html
17 SPSS manual, http://www.spss.com