An Unsupervised Approach to DDoS Attack Detection and Mitigation in Near-Real Time

We present an approach for Distributed Denial of Service (DDoS) attack detection and mitigation in near-real time. The adaptive unsupervised machine learning methodology is based on volumetric thresholding, Functional Principal Component Analysis, and K-means clustering (with tuning parameters for flexibility), which dissects the dataset into categories of outlier source IP addresses. A probabilistic risk assessment technique is used to assign “threat levels” to potential malicious actors. We use our approach to analyze a synthetic DDoS attack with ground truth, as well as the Network Time Protocol (NTP) amplification attack that occurred during January of 2014 at a large mountain-range university. We demonstrate the speed and capabilities of our technique through replay of the NTP attack. We show that we can detect and attenuate the DDoS within two minutes with significantly reduced volume throughout the six waves of the attack

A Signal Processing View on Packet Sampling and Anomaly Detection

This find is registered at Portable Antiquities of the Netherlands with number PAN-0002837

Effects of network trace sampling methods on privacy and utility metrics

Researchers studying computer networks rely on the availability of traffic trace data collected from live production networks. Those choosing to share trace data with colleagues must first remove or otherwise anonymize sensitive information. This process, called sanitization, represents a tradeoff between the removal of information in the interest of identity protection and the preservation of data within the trace that is most relevant to researchers. While several metrics exist to quantify this privacy-utility tradeoff, they are often computationally expensive. Computing these metrics using a sample of the trace, rather than the entire input trace, could potentially save precious time and space resources, provided the accuracy of these values does not suffer. In this paper, we examine several simple sampling methods to discover their effects on measurement of the privacy-utility tradeoff when anonymizing network traces prior to their sharing or publication. After sanitizing a small sample trace collected from the Dartmouth College wireless network, we tested the relative accuracy of a variety of previously implemented packet and flow-sampling methods on a few existing privacy and utility metrics. This analysis led us to conclude that, for our test trace, no single sampling method we examined allowed us to accurately measure the trade-off, and that some sampling methods can produce grossly inaccurate estimates of those values. We were unable to draw conclusions on the use of packet versus flow sampling in these instances

Enabling event-triggered data plane monitoring

We propose a push-based approach to network monitoring that allows the detection, within the dataplane, of traffic aggregates. Notifications from the switch to the controller are sent only if required, avoiding the transmission or processing of unnecessary data. Furthermore, the dataplane iteratively refines the responsible IP prefixes, allowing the controller to receive information with a flexible granularity. We implemented our solution, Elastic Trie, in P4 and for two different FPGA devices. We evaluated it with packet traces from an ISP backbone. Our approach can spot changes in the traffic patterns and detect (with 95% of accuracy) either hierarchical heavy hitters with less than 8KB or superspreaders with less than 300KB of memory, respectively. Additionally, it reduces controller-dataplane communication overheads by up to two orders of magnitude with respect to state-of-the-art solutions

Survey on Traffic of Metro Area Network with Measurement On-Line

International audienceNetwork traffic measurements can provide essential data for network research and operation. While Internet traffic has been heavily studied for several years, there are new characteristics of traffic having not been understood well brought by new applications for example P2P. It is difficult to get these traffic metrics due to the difficulty to measurement traffic on line for high speed link and to identify new applications using dynamic ports. In this paper, we present a broad overview of Internet traffic of an operated OC-48 export link of a metro area network from a carrier with the method of measurement on-line. The traffic behaves a daily characteristic well and the traffic data of whole day from data link layer to application layer is presented. We find the characteristics of traffic have changed greatly from previous measurements. Also, we explain the reasons bringing out these changes. Our goal is to provide the first hand of traffic data that is helpful for people to understand the change of traffic with new applications

Detection of malware traffic with NetFlow

Traffic classification has always been a fundamental aspect regarding the identification of applications on the network that has allowed to apply different actions or services depending on their type, such as best-effort delivery or discarding the traffic in case of a malicious application. The con