A Taxonomy of Anomalies in Backbone Network Traffic

Speaker: Johan Mazel

Date: May 13th, 2014

Time: 14:00

Place: room 102, Faculty of Science Bldg. 7, Hongo Campus, The University of Tokyo

Network anomalies threaten Internet. This led to a constant effort by the scientific community to design reliable detection methods. However, detection is not enough. Network administrators need additional information regarding the nature of occurring events. Several works try to classify detected events or establish a taxonomy of known events. However, these works are non-overlapping in terms of anomaly type coverage. On one hand, existing classification methods use a limited set of labels. On the other hand, taxonomies often target a single type of anomaly or, when they have  wider scope, fail to present the full spectrum of what really happen in the wild.
We here present a new taxonomy for network anomalies with a wide coverage of existing work. We also provide a set of signatures that assign taxonomy labels to events. We present a preliminary study of 6 years of real network traffic from the MAWI repository based on this taxonomy. We classify previously
documented anomalous events and find that: (1) the taxonomy-based analysis provides new insights regarding previous heuristic rule labeling. For example, some RST events are now classified as network scan response. The majority of ICMP events are split into network scans and network scan responses. Some unknown events now account for a consequent amount of all UDP network scans, network scan responses and port scans. (2) the number of unknown events decrease from 20 to 10\% of all events.

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *