Speaker: Johan Mazel
Date: May 13th, 2014
Place: room 102, Faculty of Science Bldg. 7, Hongo Campus, The University of Tokyo
Network anomalies threaten Internet. This led to a constant effort by the scientific community to design reliable detection methods. However, detection is not enough. Network administrators need additional information regarding the nature of occurring events. Several works try to classify detected events or establish a taxonomy of known events. However, these works are non-overlapping in terms of anomaly type coverage. On one hand, existing classification methods use a limited set of labels. On the other hand, taxonomies often target a single type of anomaly or, when they have wider scope, fail to present the full spectrum of what really happen in the wild.
We here present a new taxonomy for network anomalies with a wide coverage of existing work. We also provide a set of signatures that assign taxonomy labels to events. We present a preliminary study of 6 years of real network traffic from the MAWI repository based on this taxonomy. We classify previously
documented anomalous events and find that: (1) the taxonomy-based analysis provides new insights regarding previous heuristic rule labeling. For example, some RST events are now classified as network scan response. The majority of ICMP events are split into network scans and network scan responses. Some unknown events now account for a consequent amount of all UDP network scans, network scan responses and port scans. (2) the number of unknown events decrease from 20 to 10\% of all events.