Combining routing and traffic data for detection of IP forwarding anomalies

Mao

Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications

et al. 2006

Extensive measurement studies have shown that end-to-end Internet path performance degradation is correlated with routing dynamics. However, the root cause of the correlation between routing dynamics and such performance degradation is poorly understood. In particular, how do routing changes result in degraded end-toend path performance in the first place? How do factors such as topological properties, routing policies, and iBGP configurations affect the extent to which such routing events can cause performance degradation? Answers to these questions are critical for improving network performance.In this paper, we conduct extensive measurement that involves both controlled routing updates through two tier-1 ISPs and active probes of a diverse set of end-to-end paths on the Internet. We find that routing changes contribute to end-to-end packet loss significantly. Specifically, we study failover events in which a link failure leads to a routing change and recovery events in which a link repair causes a routing change. In both cases, it is possible to experience data plane performance degradation in terms of increased long loss burst as well as forwarding loops. Furthermore, we find that common routing policies and iBGP configurations of ISPs can directly affect the end-to-end path performance during routing changes. Our work provides new insights into potential measures that network operators can undertake to enhance network performance.

Section: Related Workmentioning

confidence: 77%

“…Previous studies have shown that end-to-end performance on the Internet is unpredictable [20], and degraded end-toend path performance is correlated with routing dynamics [15,23,6,16,19,1]. Yet the causal relationship between routing changes and degraded data plane performance has not been established.…”

Section: Introductionmentioning

confidence: 99%

A measurement study on the impact of routing events on end-to-end internet path performance

Mao

Proceedings of the 2006 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications

et al. 2006

“…Most of the early anomaly detection methods [1,3,19,20] have treated anomalies as deviations in the overall traffic volume (number of bytes or packets). These volumebased anomaly detection methods have been successful in isolating large traffic changes (such as bandwidth DDOS), but fail to identify a large class of anomalies that do not cause detectable disruptions in traffic volume.…”

Section: Network Anomaly Detectionmentioning

confidence: 99%

A data mining system for distributed abnormal event detection in backbone networks

Zhou

2013

Security Comm Networks

Detecting distributed abnormal events has become an increasingly significant task for efficient network management and operation. However, it is still challenging to uncover these distributed behaviors in backbone networks because of the voluminous amount of noisy, high-dimensional traffic data. In this paper, we present a novel system for detecting distributed abnormal events in backbone networks. The proposed system emphasizes on detecting distributed correlated abnormal events, which are caused by the same reason. In contrast, existing methods are not able to distinguish correlated abnormal events from the independent abnormal events. In our proposed system, a set of data mining techniques is used for modeling and detecting distributed correlated abnormal events by analyzing the traffic features. Specifically, traffic behavior representation is constructed to define and select traffic features for describing the traffic behaviors of interest, feature clustering is performed to group together similar transformations in each feature, behavioral data mining is employed to discover the most significant patterns in network interactions with respect to typical behavior, and behavior classification is used to expose the behaviors of interest. Experiment results using real traffic data present the effectiveness of our proposed methods for detecting distributed correlated abnormal events in the backbone network.

Proceedings of the 28th Annual ACM Symposium on Applied Computing

“…Plenty of anomalybased solutions provide detection or mitigation of multiple types of attacks relying on complex analysis of the traffic features [3,11,15]. The challenge lies in defining a traffic analysis that is amenable for on-line processing (solutions based on mining tools as [11] are best suited to study rather than detect threats) but accurate enough to properly mitigate attacks (solutions that simply look at the overall traffic volume [1,10,14] provide no insights about what to discard during an attack).…”

Section: Prior Workmentioning

confidence: 99%

Stone

Callau-Zori

Jiménez-Peris

Gulisano

et al. 2013

An effective Distributed Denial of Service (DDoS) defense mechanism must guarantee legitimate users access to an Internet service masking the effects of possible attacks. That is, it must be able to detect threats and discard malicious packets in a online fashion. Given that emerging data streaming technology can enable such mitigation in an effective manner, in this paper we present STONE, a streambased DDoS defense framework, which integrates anomalybased DDoS detection and mitigation with scalable data streaming technology.With STONE, the traffic of potential targets is analyzed via continuous data streaming queries maintaining information used for both attack detection and mitigation. STONE provides minimal degradation of legitimate users traffic during DDoS attacks and it also faces effectively flash crowds. Our preliminary evaluation based on an implemented prototype and conducted with real legitimate and malicious traffic traces shows that STONE is able to provide fast detection and precise mitigation of DDoS attacks leveraging scalable data streaming technology.