Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers

Research Article

Automated Classification of Network Traffic Anomalies

Download114 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-05284-2_6,
        author={Guilherme Fernandes and Philippe Owezarski},
        title={Automated Classification of Network Traffic Anomalies},
        proceedings={Security and Privacy in Communication Networks. 5th International ICST Conference, SecureComm 2009, Athens, Greece, September 14-18, 2009, Revised Selected Papers},
        proceedings_a={SECURECOMM},
        year={2012},
        month={5},
        keywords={},
        doi={10.1007/978-3-642-05284-2_6}
    }
    
  • Guilherme Fernandes
    Philippe Owezarski
    Year: 2012
    Automated Classification of Network Traffic Anomalies
    SECURECOMM
    Springer
    DOI: 10.1007/978-3-642-05284-2_6
Guilherme Fernandes1, Philippe Owezarski1,*
  • 1: Université de Toulouse
*Contact email: owe@laas.fr

Abstract

Network traffic anomalies detection and characterization has been a hot topic of research for many years. Although the field is very advanced in the detection of network traffic anomalies, accurate automated classification is still a very challenging and unmet problem. This paper presents a new algorithm for automated classification of network traffic anomalies. The algorithm relies on three steps: (i) after an anomaly has been detected, identify all (or most) related packets or flow records; (ii) use these packets or flow records to derive several distinct metrics directly related to the anomaly; and (iii) classify the anomaly using these metrics in a signature-based approach. We show how this approach can act as a filter to reduce the false positive rate of detection algorithms, while providing network operators with (additional) valuable information about detected anomalies. We validate our algorithm on two different datasets: the METROSEC project database and the MAWI traffic repository.