Inferring the source and destination of the anomalous traffic in networks using spatio-temporal correlation

Orientadores: Leonardo de Souza Mendes, Mario Lemes Proença JuniorDissertação (mestrado) - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de ComputaçãoResumo: Estratégias voltadas para a detecção de anomalias em redes de computadores emitem alarmes como forma de notificação ao administrador de rede. Esses alarmes são essenciais para a gerencia de rede, pois são evidencias de uma anormalidade. Entretanto, uma única anomalia pode gerar um numero excessivo de alarmes, tornando a inspeção manual inviável. Nesta dissertação, e apresentado um sistema de correlação de alarmes automatizado, divido em três camadas, que obtém os alarmes primitivos e apresenta ao administrador de rede uma visão global do cenário afetado pela anomalia. A camada de pré-processamento faz a compressão dos alarmes utilizando seus atributos espaciais e temporais, os quais são reduzidos a um único alarme denominado DLA (Alarme em Nível de Equipamento). A camada de correlação busca, através dos DLAs e de informações sobre a topologia da rede, inferir o caminho de propagação da anomalia, sua origem e destino. A camada de apresentação prove a visualização do caminho e elementos de redes afetados pela propagação da anomalia. O sistema apresentado nesta dissertação foi aplicado em diversos cenários que apresentavam anomalias reais detectadas na rede da Universidade Estadual de Londrina. Foi demonstrada sua capacidade de identificar, de forma automatizada, o caminho de propagação do trafego anômalo, proporcionando informações úteis e corretas ao administrador de rede para o diagnostico do problemaAbstract: Anomaly detection systems for computer networks send alarms in order to notify the network administrator. These alarms are essential for network management because they are evidences of an abnormality. However, a single anomaly may generate an excessive volume of alarms, making the manual inspection unfeasible. In this work, it is presented an automated alarm correlation system divided into three layers, which obtains raw alarms and presents to network administrator a global view of the scenario affected by the anomaly. In the preprocessing layer, it is performed the alarm compression using their spatial and temporal attributes, which are reduced to a unique alarm named DLA (Device Level Alarm). The correlation layer aims to infer the anomaly propagation path and its origin and destination using DLAs and network topology information. The presentation layer provides the visualization of the path and network elements affected by the anomaly propagation through the network. The presented system was applied in various scenarios that had real anomalies detected on the State University of Londrina network. It demonstrated its ability to identify in an automated manner the anomalous traffic propagation path, providing useful and accurate information to the network administrator to diagnose the problemMestradoTelecomunicações e TelemáticaMestre em Engenharia Elétric

Three Levels Network Analysis For Anomaly Detection

Anomaly detection is fundamental to ensure reliability and security in computer networks. In this work, it is proposed an anomaly detection system that monitors the network in three different levels. In the first one, data is collected from Simple Network Management Protocol (SNMP) objects and compared to profiles of normal traffic, in order to detect behavior changes. Second level of analysis includes a dependency graph that represents the relationships between SNMP objects. It is used to analyze first level alerts, confirming the occurrence of anomalies in device level. In the third level of analysis, second level alerts are grouped according to network topology information, and network administrators are informed about the context where the anomaly occurred. Tests were performed in a real network environment and good results were obtained.281285 IEEE Communications SocietyPark, A.P.E.J.M., An overview of anomaly detection techniques: Existing solutions and latest technological trends (2007) Computer Networks, V. 51 (12), pp. 3448-3470Thottan, M., Ji, C., Anomaly detection in IP networks (2003) IEEE Transactions in Signal Processing, V. 51 (8), pp. 2191-2204Denning, D.E., An intrusion-detection model (1987) IEEE Transactions on Software Engineering, 13 (2), pp. 222-232Barford, P., Kline, J., Plonka, D., Ron, A., A signal analysis of network traffic anomalies (2002) Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurement, pp. 71-82Lakhina, A., Crovella, M., Diot, C., Diagnosing network- wide traffic anomalies (2004) ACM SIGCOMM Computer Communication Review, Proc. of the 2004 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, 34, pp. 219-230Kim, S.S., Reddy, A.L.N., Statistical techniques for detecting traffic anomalies through packet header data (2008) IEEE/ACM Transactions on Networking, 16 (3)Androulidakis, G., Chatziqiannakis, V., Papavassiliou, S., Network anomaly detection and classification via opportunistic sampling (2009) IEEE Network, 23 (1), pp. 6-12Ringberg, H., Soule, A., Rexford, J., Diot, C., Sensitivity of PCA for traffic anomaly detection (2007) Proceedings of the 2007 ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, pp. 109-120Farraposo, S., Owezarski, P., Monteiro, E.E., A multi- scale tomographic algorithm for detecting and classifying traffic anomalies (2007) Proceedings of IEEE International Conference on Communications 2007, pp. 363-370Stallings, W., (1998) SNMP, SNMPv2, SNMPv3, and RMON 1, 2 and 3, , Addison-WesleyMccloghrie, K., Rose, M., Management information base for network management of TCP/IP-based internet: MIB-II (1991) RFC 1213, , marProença Jr., M.L., Coppelmans, C., Bottoli, M., Mendes, L.S., The hurst parameter for digital signature of network segment (2004) 11th International Conference on Telecommunications (ICT 2004), pp. 772-78