Skip to main content
SpringerLink
Log in

Networks and Network Traffic Anomalies

  • Chapter
  • First Online:
Network Traffic Anomaly Detection and Prevention

Part of the book series: Computer Communications and Networks ((CCN))

  • 1700 Accesses

Abstract

Before discussing the actual detection and prevention of network traffic anomalies, we must introduce fundamental concepts on networks, network traffic, and traffic measurement. Therefore, this chapter is comprised of two parts. The first part discusses components of networks, topologies, and layered architectures followed by protocols used, metrics to quantify network performance, and ideas in network traffic management. It also introduces how we represent normal and attack traffic. The second part of this chapter discusses network anomalies, causes of anomalies, and sources of anomalies followed by a taxonomy of network attacks, a note on precursors to network anomalies, and other aspects of network traffic anomalies.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 49.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 64.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 89.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.mcafee.com/us/mcafee-labs.aspx

  2. 2.

    A demilitarized zone is a network segment located between a secure local network and insecure external networks (Internet). A DMZ usually contains servers that provide services to users on the external network, such as Web, mail, and DNS servers. These servers must be hardened systems. Two firewalls are typically installed to form the DMZ.

  3. 3.

    http://staff.washington.edu/corey/gulp/

  4. 4.

    http://www.wireshark.org/

  5. 5.

    http://nfdump.sourceforge.net/

  6. 6.

    http://nfsen.sourceforge.net/

References

  1. 3com: Understanding IP addressing: everything you ever wanted to know. White Paper 501302-001, 3Com Corporation, CA (2001)

    Google Scholar 

  2. Amiri, F., Yousefi, M.M.R., Lucas, C., Shakery, A., Yazdani, N.: Mutual information-based feature selection for intrusion detection systems. J. Netw. Comput. Appl. 34(4), 1184–1199 (2011)

    Article  Google Scholar 

  3. Anderson, J.: Computer security threat monitoring and surveillance. Tech. Rep. 215 646-4706, James P Anderson Co., Fort Washington, Pennsylvania (1980)

    Google Scholar 

  4. Bahrololum, M., Salahi, E., Khaleghi, M.: Anomaly intrusion detection design using hybrid of unsupervised and supervised neural network. Int. J. Comput. Netw. Commun. 1(2), 26–33 (2009)

    Google Scholar 

  5. Baker, F.B., Hubert, L.J.: Measuring the power of hierarchical cluster analysis. J. Am. Stat. Assoc. 70(349), 31–38 (1975)

    Article  MATH  Google Scholar 

  6. Banerjee, A., Dhillon, I.S., Ghosh, J., Sra, S.: Clustering on the unit hypersphere using Von Mises-Fisher distributions. J. Mach. Learn. Res. 6, 1345–1382 (2005)

    MathSciNet  MATH  Google Scholar 

  7. Bezdek, J.C.: Cluster validity with fuzzy sets. J. Cybern. 3(3), 58–78 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  8. Bezdek, J.C.: Numerical taxonomy with fuzzy sets. J. Math. Biol. 1(1), 57–71 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  9. Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Surveying port scans and their detection methodologies. Comput. J. 54(10), 1565–1581 (2011)

    Article  Google Scholar 

  10. Bhuyan, M.H., Kalwar, A., Goswami, A., Bhattacharyya, D.K., Kalita, J.K.: Low-rate and high-rate distributed DoS attack detection using partial rank correlation. In: 2015 Fifth International Conference on Communication Systems and Network Technologies (CSNT), pp. 706–710 (2015). doi:10.1109/CSNT.2015.24

  11. Boriah, S., Chandola, V., Kumar, V.: Similarity measures for categorical data: a comparative evaluation. In: Proceedings of the 8th SIAM International Conference on Data Mining, pp. 243–254 (2008)

    Google Scholar 

  12. Burbeck, K., Nadjm-tehrani, S.: ADWICE – anomaly detection with real-time incremental clustering. In: Proceedings of the 7th International Conference on Information Security and Cryptology, Seoul, Korea. Springer (2004)

    Google Scholar 

  13. Burbeck, K., Nadjm-Tehrani, S.: Adaptive real-time anomaly detection with incremental clustering. Inf. Secur. Tech. Rep. 12(1), 56–67 (2007)

    Article  Google Scholar 

  14. Cha, S.H.: Comprehensive survey on distance/similarity measures between probability density functions. Int. J. Math. Models Methods Appl. Sci. 1(4), 300–307 (2007)

    MathSciNet  Google Scholar 

  15. Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)

    Google Scholar 

  16. Chen, Y., Li, Y., Cheng, X.Q., Guo, L.: Survey and taxonomy of feature selection algorithms in intrusion detection system. In: Proceedings of the Second SKLOIS Conference on Information Security and Cryptology, pp. 153–167. Springer (2006). doi:10.1007/11937807_13

  17. Choi, S., Cha, S., Tappert, C.C.: A survey of binary similarity and distance measures. J. Syst. Cybern. Inform. 8(1), 43–48 (2010)

    Google Scholar 

  18. Cover, T.M., Thomas, J.A.: Elements of information theory. Wiley-Interscience, New York (1991)

    Book  MATH  Google Scholar 

  19. Dainotti, A., Pescape, A.: PLAB: a packet capture and analysis architecture (2004). Http://www.grid.unina.it/software/ITG/D-ITGpublications/TR-DIS-122004.pdf

    Google Scholar 

  20. Dash, M., Liu, H.: Feature selection for classification. Intell. Data Anal. 1, 131–156 (1997)

    Article  Google Scholar 

  21. Davies, D.L., Bouldin, D.W.: A cluster separation measure. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 224–227 (1979)

    Article  Google Scholar 

  22. Dunn, J.C.: Well separated clusters and optimal fuzzy partitions. J. Cybern. 4(1), 95–104 (1974)

    Article  MathSciNet  MATH  Google Scholar 

  23. Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Kumar, V., Srivastava, J.: MINDS – Minnesota intrusion detection system. In: Next Generation Data Mining, chap. 3, pp. 1–21. CRC Press, Boca Raton (2004)

    Google Scholar 

  24. Fujimaki, R., Yairi, T., Machida, K.: An approach to spacecraft anomaly detection problem using kernel feature space. In: Proceedings of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining, pp. 401–410. ACM, New York (2005)

    Google Scholar 

  25. Gan, G., Ma, C., Wu, J.: Data Clustering Theory, Algorithms and Applications. SIAM, Philadelphia (2007)

    MATH  Google Scholar 

  26. Ghorbani, A.A., Lu, W., Tavallaee, M.: Network Intrusion Detection and Prevention: Concepts and Techniques. Advances in Information Security. Springer, Boston (2009)

    Google Scholar 

  27. Goodman, L., Kruskal, W.: Measures of associations for cross-validations. J. Am. Stat. Assoc. 49, 732–764 (1954)

    MATH  Google Scholar 

  28. Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Comput. Secur. 24(1), 31–43 (2005)

    Article  Google Scholar 

  29. Hsu, C.C., Huang, Y.P.: Incremental clustering of mixed data based on distance hierarchy. J. Expert Syst. Appl. 35(3), 1177–1185 (2008)

    Article  Google Scholar 

  30. Hsu, C.C., Wang, S.H.: An integrated framework for visualized and exploratory pattern discovery in mixed data. IEEE Trans. Knowl. Data Eng. 18(2), 161–173 (2005)

    Google Scholar 

  31. Hubert, L., Schultz, J.: Quadratic assignment as a general data analysis strategy. Br. J. Math. Stat. Psychol. 29(2), 190–241 (1976)

    Article  MathSciNet  MATH  Google Scholar 

  32. Hunt, R., Hansman, S.: A Taxonomy of Network and Computer Attack Methodologies. University of Canterbury, New Zealand (2003)

    Google Scholar 

  33. Jaccard, P.: The distribution of flora in the alpine zone. New Phytol. 11(2), 37–50 (1912)

    Article  Google Scholar 

  34. Jacobson, V., Leres, C., McCanne, S.: tcpdump. ftp://ftp.ee.lbl.gov/tcpdump.tar.gz

  35. Joshi, M.V., Agarwal, R.C., Kumar, V.: Mining needle in a haystack: classifying rare classes via two-phase rule induction. SIGMOD Rec. 30(2), 91–102 (2001)

    Article  Google Scholar 

  36. Kalyankar, N.V.: Network traffic management. J. Comput. 1(1), 191–194 (2009)

    Google Scholar 

  37. Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: Selecting features for intrusion detection: a feature relevance analysis on KDD’99 intrusion detection datasets. In: Proceedings of the Third Annual Conference on Privacy, Security and Trust (PST-2005) (2005)

    Google Scholar 

  38. KDDcup99: Knowledge Discovery in Databases DARPA Archive. http://www.kdd.ics.uci.edu/databases/kddcup99/task.html (1999)

  39. Kizza, J.M.: Computer Network Security, 1st edn. Springer, New York (2005)

    MATH  Google Scholar 

  40. Kvalseth, T.O.: Entropy and correlation: some comments. IEEE Trans. Syst. Man Cybern. 17(3), 517–519 (1987). doi:10.1109/TSMC.1987.4309069

    Article  Google Scholar 

  41. Lau, S.: The spinning cube of potential doom. Commun. ACM 47(6), 25–26 (2004)

    Article  Google Scholar 

  42. Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Proceedings of the 7th Conference on USENIX Security Symposium, vol. 7, pp. 1–7. USENIX Association, Berkeley (1998)

    Google Scholar 

  43. Lesot, M.J., Rifqi, M.: Anomaly-based network intrusion detection: techniques, systems and challenges. Int. J. Knowl. Eng. Soft Data Paradigms 1(1), 63–84 (2009)

    Article  Google Scholar 

  44. Lesot, M.J., Rifqi, M., Benhadda, H.: Similarity measures for binary and numerical data: a survey. Int. J. Knowl. Eng. Soft Data Paradigms 1(1), 63–84 (2009). doi:10.1504/IJKESDP.2009.021985

    Article  Google Scholar 

  45. Li, Y., Wang, J.L., Tian, Z., Lu, T., Young, C.: Building lightweight intrusion detection system using wrapper-based feature selection mechanisms. Comput. Secur. 28(6), 466–475 (2009)

    Article  Google Scholar 

  46. Liu, Z., Lin, D., Guo, F.: A method for locating digital evidences with outlier detection using support vector machine. Int. J. Netw. Secur. 6(3), 301–308 (2008)

    Google Scholar 

  47. McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user level packet capture. In: Proceedings of the Winter 1993 USENIX Conference, pp. 259–269. USENIX Association (1993)

    Google Scholar 

  48. Nguyen, H.T., Franke, K., Petrovic, S.: Towards a Generic Feature-Selection Measure for Intrusion Detection. In: Proceedings of the 20th International Conference on Pattern Recognition, pp. 1529–1532 (2010)

    Google Scholar 

  49. Ning, P., Jajodia, S.: Intrusion detection techniques. In: Bidgoli, H. (ed.) The Internet Encyclopedia, vol. 2, John-Wiley & Sons, US (2003)

    Google Scholar 

  50. Park, B.C., Won, Y.J., Kim, M.S., Hong, J.W.: Towards automated application signature generation for traffic identification. In: Proceedings of the IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services, pp. 160–167 (2008)

    Google Scholar 

  51. Paulauskas, N., Garsva, E.: Computer system attack classification. Electron. Electr. Eng. Technol. Kaunas 2(66), 84–87 (2006)

    Google Scholar 

  52. Peng, H., Long, F., Ding, C.: Feature selection based on mutual information: criteria of max-dependency, max-relevance, and min-redundancy. IEEE Trans. Pattern Anal. Mach. Intell. 27(8), 1226–1238 (2005)

    Article  Google Scholar 

  53. Plonka, D.: FlowScan: a network traffic flow reporting and visualization tool. In: Proceedings of the 14th USENIX Conference on System Administration, LISA’00, pp. 305–318. USENIX Association, Berkeley (2000)

    Google Scholar 

  54. Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of the ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, pp. 5–8 (2001)

    Google Scholar 

  55. Rand, W.M.: Objective criteria for the evaluation of clustering methods. J. Am. Stat. Assoc. 66(336), 846–850 (1971)

    Article  Google Scholar 

  56. Ren, F., Hu, L., Liang, H., Liu, X., Ren, W.: Using density-based incremental clustering for anomaly detection. In: Proceedings of the International Conference on Computer Science and Software Engineering, pp. 986–989. IEEE Computer Society, Washington, DC (2008)

    Google Scholar 

  57. Rohlf, F.J.: Methods of comparing classifications. Ann. Rev. Ecol. Syst. 5(1), 101–113 (1974)

    Article  Google Scholar 

  58. Rousseeuw, P.J.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. J. Comput. Appl. Math. 20(1), 53–65 (1987)

    Article  MATH  Google Scholar 

  59. Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 37:1–37:10. ACM, New York (2006). doi:10.1145/1501434.1501479

  60. Shon, T., Moon, J.: A hybrid machine learning approach to network anomaly detection. Inf. Sci. 177, 3799–3821 (2007)

    Article  Google Scholar 

  61. Strehl, A., Ghosh, J.: Cluster ensembles – a knowledge reuse framework for combining multiple partitions. J. Mach. Learn. Res. 3, 583–617 (2003). doi:10.1162/153244303321897735. http://dx.doi.org/10.1162/153244303321897735

  62. Sundaram, A.: An introduction to intrusion detection. Crossroads 2(4), 3–7 (1996)

    Article  Google Scholar 

  63. Sung, A.H., Mukkamala, S.: Identifying important features for intrusion detection using support vector machines and neural networks. In: Proceedings of the Symposium on Applications and the Internet, pp. 209–217. IEEE Computer Society (2003)

    Google Scholar 

  64. Tan, P.N., Steinbach, M., Kumar, V.: Introduction to Data Mining, 4th edn. Addison-Wesley, Pearson Education, India (2009)

    Google Scholar 

  65. Theiler, J., Cai, D.M.: Resampling approach for anomaly detection in multispectral images. In: Proceedings of SPIE, vol. 5093, pp. 230–240. SPIE (2003)

    Google Scholar 

  66. Thottan, M., Ji, C.: Anomaly detection in IP networks. IEEE Trans. Signal Process. 51(8), 2191–2204 (2003)

    Article  Google Scholar 

  67. Uhlig, S.: Implications of traffic characteristics on interdomain traffic engineering. Ph.D. thesis, Université catholique de Louvain (2004)

    Google Scholar 

  68. Wikimedia, F.: Intrusion detection system. http://en.wikipedia.org/wiki/Intrusion-detection_system (2009)

  69. Wu, Z., Ou, Y., Liu, Y.: A taxonomy of network and computer attacks based on responses. In: Proceedings of the International Conference on Information Technology, Computer Engineering and Management Sciences, pp. 26–29. IEEE Computer Society, Nanjing, Jiangsu (2011)

    Google Scholar 

  70. Xie, X.L., Beni, G.: A validity measure for fuzzy clustering. IEEE Trans. Pattern Anal. Mach. Intell. 13(4), 841–847 (1991)

    Article  Google Scholar 

  71. Yao, Y.Y.: Information-theoretic measures for knowledge discovery and data mining. In: Entropy Measures, Maximum Entropy Principle and Emerging Applications. Studies in Fuzziness and Soft Computing, vol. 119, pp. 115–136. Springer, New York (2003)

    Google Scholar 

  72. Zhang, C., Zhang, G., Sun, S.: A mixed unsupervised clustering-based intrusion detection model. In: Proceedings of the 3rd International Conference on Genetic and Evolutionary Computing, pp. 426–428. IEEE Computer Society, USA (2009)

    Google Scholar 

  73. Zhang, J., Zulkernine, M.: Anomaly based network intrusion detection with unsupervised outlier detection. In: Proceedings of the IEEE International Conference on Communications, vol. 5, pp. 2388–2393 (2006)

    Google Scholar 

  74. Zhong, C., Li, N.: Incremental clustering algorithm for intrusion detection using clonal selection. In: Proceedings of the IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application, pp. 326–331. IEEE Computer Society, Washington, DC (2008)

    Google Scholar 

  75. Zhu, X.: Semi-supervised learning literature survey. Tech. Rep. 1530, Department of Computer Sciences, University of Wisconsin-Madison (2005)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Kaziranga University, Jorhat, India

    Monowar H. Bhuyan

  2. Tezpur University, Napaam, India

    Dhruba K. Bhattacharyya

  3. University of Colorado, Colorado Springs, Colorado, USA

    Jugal K. Kalita

Authors
  1. Monowar H. Bhuyan
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Dhruba K. Bhattacharyya
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jugal K. Kalita
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Cite this chapter

Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2017). Networks and Network Traffic Anomalies. In: Network Traffic Anomaly Detection and Prevention. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-65188-0_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-65188-0_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-65186-6

  • Online ISBN: 978-3-319-65188-0

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation