Portscan Detection with Sampled NetFlow

Paredes-Oliva, Ignasi; Barlet‐Ros, Pere; Solé-Pareta, Josep

doi:10.1007/978-3-642-01645-5_4

Cited by 21 publications

(17 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In the field of anomaly detection, several works have analyzed the impact of different sampling techniques on the performance of portscan detection [52][53][54]. They also conclude that packet sampling has an important impact on the detection accuracy, increasing both false negative and false positive ratios.…”

Section: Related Workmentioning

confidence: 99%

Analysis of the impact of sampling on NetFlow traffic classification

et al. 2011

Self Cite

View full text Add to dashboard Cite

The traffic classification problem has recently attracted the interest of both network operators and researchers. Several machine learning (ML) methods have been proposed in the literature as a promising solution to this problem. Surprisingly, very few works have studied the traffic classification problem with Sampled NetFlow data. However, Sampled NetFlow is a widely extended monitoring solution among network operators. In this paper we aim to fulfill this gap. First, we analyze the performance of current ML methods with NetFlow by adapting a popular ML-based technique. The results show that, although the adapted method is able to obtain similar accuracy than previous packet-based methods (≈90%), its accuracy degrades drastically in the presence of sampling. In order to reduce this impact, we propose a solution to network operators that is able to operate with Sampled NetFlow data and achieve good accuracy in the presence of sampling.

show abstract

Section: Related Workmentioning

confidence: 99%

Analysis of the impact of sampling on NetFlow traffic classification

et al. 2011

Self Cite

View full text Add to dashboard Cite

show abstract

“…This paper uses a a compressed representation of Netflows similar to Aguri [10] for IP packets. There are other alternatives for a scalable storage and representation of flows data [4], [22], [23]. The authors of [22] introduce a column-oriented technique for storing data which provides a better scalability than common solutions relying on row-based techniques.…”

Section: Related Workmentioning

confidence: 99%

“…The authors of [22] introduce a column-oriented technique for storing data which provides a better scalability than common solutions relying on row-based techniques. Sampling [4], [23] can also highly reduce the volume of data, but setting a proper sampling rate is still a major issue.…”

Section: Related Workmentioning

confidence: 99%

SAFEM: Scalable analysis of flows with entropic measures and SVM

Jérôme

Wagner

State

et al. 2012

2012 IEEE Network Operations and Management Symposium

View full text Add to dashboard Cite

Abstract-This paper describes a new approach for the detection of large-scale anomalies or malicious events in Netflow records. This approach allows Internet operators, to whom botnets and spam are major threats, to detect large-scale distributed attacks. The prototype SAFEM (Scalable Analysis of Flows with Entropic Measures) uses spatial-temporal Netflow record aggregation and applies entropic measures to traffic. The aggregation scheme highly reduces data storage leading to the viability of using such an approach in an Internet Service Provider network.

show abstract

“…RELATED WORK Few previous works have analyzed the impact of sampling on scan detection [8], [11], [10], [12]. In particular, the impact of Packet Sampling on TRW and TAPS was analyzed in [11].…”

Section: Introductionmentioning

confidence: 99%

“…This was a despairing result as routers only implement Packet Sampling. In [12] we presented a preliminary study of the performance of Packet Sampling using the same fraction of packets and showed that under some scenarios it could outperform Flow Sampling. Moreover, in [10], Androulidakis et al show that opportunistic flowbased techniques that target a certain part of the traffic can improve the performance of cyberattack detection algorithms under sampling w.r.t.…”

Section: Introductionmentioning

confidence: 99%

Scan detection under sampling: a new perspective

2013

Self Cite

View full text Add to dashboard Cite

Abstract-Nowadays, due to current high-speed links, applying traffic sampling has become nearly mandatory in order to make Internet traffic monitoring feasible. However, its impact on state-of-the-art algorithms is unclear and has become a topic of foremost importance. Specifically, focusing on the impact of sampling on the detection of scanning cyberattacks, former studies concluded that Flow Sampling was the best technique. In this paper we first evaluate how two well-known algorithms for scan detection perform under sampling and confirm its dramatic impact. Unlike previously reported, we show that Packet Sampling performs better than Flow Sampling under certain scenarios. This is important because routers only support packet-based sampling. The second part of this paper, taking into account the good results for scan detection reported by a sampling technique called Selective Sampling (SES), proposes a new sampling technique, Online Selective Sampling (OSES), that samples the same traffic that SES but uses less resources. Instead of requiring aggregation of packets into flows before sampling, OSES works online on a packet-per-packet basis and, therefore, it does not need to capture all the traffic. We show that OSES is significantly faster and consumes up to ≈40% less memory than SES while keeping the same good performance.

show abstract

Portscan Detection with Sampled NetFlow

Cited by 21 publications

References 8 publications

Analysis of the impact of sampling on NetFlow traffic classification

Analysis of the impact of sampling on NetFlow traffic classification

SAFEM: Scalable analysis of flows with entropic measures and SVM

Scan detection under sampling: a new perspective

Contact Info

Product

Resources

About