Abstract
Before discussing the actual detection and prevention of network traffic anomalies, we must introduce fundamental concepts on networks, network traffic, and traffic measurement. Therefore, this chapter is comprised of two parts. The first part discusses components of networks, topologies, and layered architectures followed by protocols used, metrics to quantify network performance, and ideas in network traffic management. It also introduces how we represent normal and attack traffic. The second part of this chapter discusses network anomalies, causes of anomalies, and sources of anomalies followed by a taxonomy of network attacks, a note on precursors to network anomalies, and other aspects of network traffic anomalies.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
A demilitarized zone is a network segment located between a secure local network and insecure external networks (Internet). A DMZ usually contains servers that provide services to users on the external network, such as Web, mail, and DNS servers. These servers must be hardened systems. Two firewalls are typically installed to form the DMZ.
- 3.
- 4.
- 5.
- 6.
References
3com: Understanding IP addressing: everything you ever wanted to know. White Paper 501302-001, 3Com Corporation, CA (2001)
Amiri, F., Yousefi, M.M.R., Lucas, C., Shakery, A., Yazdani, N.: Mutual information-based feature selection for intrusion detection systems. J. Netw. Comput. Appl. 34(4), 1184–1199 (2011)
Anderson, J.: Computer security threat monitoring and surveillance. Tech. Rep. 215 646-4706, James P Anderson Co., Fort Washington, Pennsylvania (1980)
Bahrololum, M., Salahi, E., Khaleghi, M.: Anomaly intrusion detection design using hybrid of unsupervised and supervised neural network. Int. J. Comput. Netw. Commun. 1(2), 26–33 (2009)
Baker, F.B., Hubert, L.J.: Measuring the power of hierarchical cluster analysis. J. Am. Stat. Assoc. 70(349), 31–38 (1975)
Banerjee, A., Dhillon, I.S., Ghosh, J., Sra, S.: Clustering on the unit hypersphere using Von Mises-Fisher distributions. J. Mach. Learn. Res. 6, 1345–1382 (2005)
Bezdek, J.C.: Cluster validity with fuzzy sets. J. Cybern. 3(3), 58–78 (1974)
Bezdek, J.C.: Numerical taxonomy with fuzzy sets. J. Math. Biol. 1(1), 57–71 (1974)
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K.: Surveying port scans and their detection methodologies. Comput. J. 54(10), 1565–1581 (2011)
Bhuyan, M.H., Kalwar, A., Goswami, A., Bhattacharyya, D.K., Kalita, J.K.: Low-rate and high-rate distributed DoS attack detection using partial rank correlation. In: 2015 Fifth International Conference on Communication Systems and Network Technologies (CSNT), pp. 706–710 (2015). doi:10.1109/CSNT.2015.24
Boriah, S., Chandola, V., Kumar, V.: Similarity measures for categorical data: a comparative evaluation. In: Proceedings of the 8th SIAM International Conference on Data Mining, pp. 243–254 (2008)
Burbeck, K., Nadjm-tehrani, S.: ADWICE – anomaly detection with real-time incremental clustering. In: Proceedings of the 7th International Conference on Information Security and Cryptology, Seoul, Korea. Springer (2004)
Burbeck, K., Nadjm-Tehrani, S.: Adaptive real-time anomaly detection with incremental clustering. Inf. Secur. Tech. Rep. 12(1), 56–67 (2007)
Cha, S.H.: Comprehensive survey on distance/similarity measures between probability density functions. Int. J. Math. Models Methods Appl. Sci. 1(4), 300–307 (2007)
Chandola, V., Banerjee, A., Kumar, V.: Anomaly detection: a survey. ACM Comput. Surv. 41(3), 15:1–15:58 (2009)
Chen, Y., Li, Y., Cheng, X.Q., Guo, L.: Survey and taxonomy of feature selection algorithms in intrusion detection system. In: Proceedings of the Second SKLOIS Conference on Information Security and Cryptology, pp. 153–167. Springer (2006). doi:10.1007/11937807_13
Choi, S., Cha, S., Tappert, C.C.: A survey of binary similarity and distance measures. J. Syst. Cybern. Inform. 8(1), 43–48 (2010)
Cover, T.M., Thomas, J.A.: Elements of information theory. Wiley-Interscience, New York (1991)
Dainotti, A., Pescape, A.: PLAB: a packet capture and analysis architecture (2004). Http://www.grid.unina.it/software/ITG/D-ITGpublications/TR-DIS-122004.pdf
Dash, M., Liu, H.: Feature selection for classification. Intell. Data Anal. 1, 131–156 (1997)
Davies, D.L., Bouldin, D.W.: A cluster separation measure. IEEE Trans. Pattern Anal. Mach. Intell. 1(2), 224–227 (1979)
Dunn, J.C.: Well separated clusters and optimal fuzzy partitions. J. Cybern. 4(1), 95–104 (1974)
Ertoz, L., Eilertson, E., Lazarevic, A., Tan, P., Kumar, V., Srivastava, J.: MINDS – Minnesota intrusion detection system. In: Next Generation Data Mining, chap. 3, pp. 1–21. CRC Press, Boca Raton (2004)
Fujimaki, R., Yairi, T., Machida, K.: An approach to spacecraft anomaly detection problem using kernel feature space. In: Proceedings of the 11th ACM SIGKDD International Conference on Knowledge Discovery in Data Mining, pp. 401–410. ACM, New York (2005)
Gan, G., Ma, C., Wu, J.: Data Clustering Theory, Algorithms and Applications. SIAM, Philadelphia (2007)
Ghorbani, A.A., Lu, W., Tavallaee, M.: Network Intrusion Detection and Prevention: Concepts and Techniques. Advances in Information Security. Springer, Boston (2009)
Goodman, L., Kruskal, W.: Measures of associations for cross-validations. J. Am. Stat. Assoc. 49, 732–764 (1954)
Hansman, S., Hunt, R.: A taxonomy of network and computer attacks. Comput. Secur. 24(1), 31–43 (2005)
Hsu, C.C., Huang, Y.P.: Incremental clustering of mixed data based on distance hierarchy. J. Expert Syst. Appl. 35(3), 1177–1185 (2008)
Hsu, C.C., Wang, S.H.: An integrated framework for visualized and exploratory pattern discovery in mixed data. IEEE Trans. Knowl. Data Eng. 18(2), 161–173 (2005)
Hubert, L., Schultz, J.: Quadratic assignment as a general data analysis strategy. Br. J. Math. Stat. Psychol. 29(2), 190–241 (1976)
Hunt, R., Hansman, S.: A Taxonomy of Network and Computer Attack Methodologies. University of Canterbury, New Zealand (2003)
Jaccard, P.: The distribution of flora in the alpine zone. New Phytol. 11(2), 37–50 (1912)
Jacobson, V., Leres, C., McCanne, S.: tcpdump. ftp://ftp.ee.lbl.gov/tcpdump.tar.gz
Joshi, M.V., Agarwal, R.C., Kumar, V.: Mining needle in a haystack: classifying rare classes via two-phase rule induction. SIGMOD Rec. 30(2), 91–102 (2001)
Kalyankar, N.V.: Network traffic management. J. Comput. 1(1), 191–194 (2009)
Kayacik, H.G., Zincir-Heywood, A.N., Heywood, M.I.: Selecting features for intrusion detection: a feature relevance analysis on KDD’99 intrusion detection datasets. In: Proceedings of the Third Annual Conference on Privacy, Security and Trust (PST-2005) (2005)
KDDcup99: Knowledge Discovery in Databases DARPA Archive. http://www.kdd.ics.uci.edu/databases/kddcup99/task.html (1999)
Kizza, J.M.: Computer Network Security, 1st edn. Springer, New York (2005)
Kvalseth, T.O.: Entropy and correlation: some comments. IEEE Trans. Syst. Man Cybern. 17(3), 517–519 (1987). doi:10.1109/TSMC.1987.4309069
Lau, S.: The spinning cube of potential doom. Commun. ACM 47(6), 25–26 (2004)
Lee, W., Stolfo, S.J.: Data mining approaches for intrusion detection. In: Proceedings of the 7th Conference on USENIX Security Symposium, vol. 7, pp. 1–7. USENIX Association, Berkeley (1998)
Lesot, M.J., Rifqi, M.: Anomaly-based network intrusion detection: techniques, systems and challenges. Int. J. Knowl. Eng. Soft Data Paradigms 1(1), 63–84 (2009)
Lesot, M.J., Rifqi, M., Benhadda, H.: Similarity measures for binary and numerical data: a survey. Int. J. Knowl. Eng. Soft Data Paradigms 1(1), 63–84 (2009). doi:10.1504/IJKESDP.2009.021985
Li, Y., Wang, J.L., Tian, Z., Lu, T., Young, C.: Building lightweight intrusion detection system using wrapper-based feature selection mechanisms. Comput. Secur. 28(6), 466–475 (2009)
Liu, Z., Lin, D., Guo, F.: A method for locating digital evidences with outlier detection using support vector machine. Int. J. Netw. Secur. 6(3), 301–308 (2008)
McCanne, S., Jacobson, V.: The BSD packet filter: a new architecture for user level packet capture. In: Proceedings of the Winter 1993 USENIX Conference, pp. 259–269. USENIX Association (1993)
Nguyen, H.T., Franke, K., Petrovic, S.: Towards a Generic Feature-Selection Measure for Intrusion Detection. In: Proceedings of the 20th International Conference on Pattern Recognition, pp. 1529–1532 (2010)
Ning, P., Jajodia, S.: Intrusion detection techniques. In: Bidgoli, H. (ed.) The Internet Encyclopedia, vol. 2, John-Wiley & Sons, US (2003)
Park, B.C., Won, Y.J., Kim, M.S., Hong, J.W.: Towards automated application signature generation for traffic identification. In: Proceedings of the IEEE/IFIP Network Operations and Management Symposium: Pervasive Management for Ubiquitous Networks and Services, pp. 160–167 (2008)
Paulauskas, N., Garsva, E.: Computer system attack classification. Electron. Electr. Eng. Technol. Kaunas 2(66), 84–87 (2006)
Peng, H., Long, F., Ding, C.: Feature selection based on mutual information: criteria of max-dependency, max-relevance, and min-redundancy. IEEE Trans. Pattern Anal. Mach. Intell. 27(8), 1226–1238 (2005)
Plonka, D.: FlowScan: a network traffic flow reporting and visualization tool. In: Proceedings of the 14th USENIX Conference on System Administration, LISA’00, pp. 305–318. USENIX Association, Berkeley (2000)
Portnoy, L., Eskin, E., Stolfo, S.: Intrusion detection with unlabeled data using clustering. In: Proceedings of the ACM CSS Workshop on Data Mining Applied to Security, Philadelphia, pp. 5–8 (2001)
Rand, W.M.: Objective criteria for the evaluation of clustering methods. J. Am. Stat. Assoc. 66(336), 846–850 (1971)
Ren, F., Hu, L., Liang, H., Liu, X., Ren, W.: Using density-based incremental clustering for anomaly detection. In: Proceedings of the International Conference on Computer Science and Software Engineering, pp. 986–989. IEEE Computer Society, Washington, DC (2008)
Rohlf, F.J.: Methods of comparing classifications. Ann. Rev. Ecol. Syst. 5(1), 101–113 (1974)
Rousseeuw, P.J.: Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. J. Comput. Appl. Math. 20(1), 53–65 (1987)
Sadoddin, R., Ghorbani, A.: Alert correlation survey: framework and techniques. In: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services, pp. 37:1–37:10. ACM, New York (2006). doi:10.1145/1501434.1501479
Shon, T., Moon, J.: A hybrid machine learning approach to network anomaly detection. Inf. Sci. 177, 3799–3821 (2007)
Strehl, A., Ghosh, J.: Cluster ensembles – a knowledge reuse framework for combining multiple partitions. J. Mach. Learn. Res. 3, 583–617 (2003). doi:10.1162/153244303321897735. http://dx.doi.org/10.1162/153244303321897735
Sundaram, A.: An introduction to intrusion detection. Crossroads 2(4), 3–7 (1996)
Sung, A.H., Mukkamala, S.: Identifying important features for intrusion detection using support vector machines and neural networks. In: Proceedings of the Symposium on Applications and the Internet, pp. 209–217. IEEE Computer Society (2003)
Tan, P.N., Steinbach, M., Kumar, V.: Introduction to Data Mining, 4th edn. Addison-Wesley, Pearson Education, India (2009)
Theiler, J., Cai, D.M.: Resampling approach for anomaly detection in multispectral images. In: Proceedings of SPIE, vol. 5093, pp. 230–240. SPIE (2003)
Thottan, M., Ji, C.: Anomaly detection in IP networks. IEEE Trans. Signal Process. 51(8), 2191–2204 (2003)
Uhlig, S.: Implications of traffic characteristics on interdomain traffic engineering. Ph.D. thesis, Université catholique de Louvain (2004)
Wikimedia, F.: Intrusion detection system. http://en.wikipedia.org/wiki/Intrusion-detection_system (2009)
Wu, Z., Ou, Y., Liu, Y.: A taxonomy of network and computer attacks based on responses. In: Proceedings of the International Conference on Information Technology, Computer Engineering and Management Sciences, pp. 26–29. IEEE Computer Society, Nanjing, Jiangsu (2011)
Xie, X.L., Beni, G.: A validity measure for fuzzy clustering. IEEE Trans. Pattern Anal. Mach. Intell. 13(4), 841–847 (1991)
Yao, Y.Y.: Information-theoretic measures for knowledge discovery and data mining. In: Entropy Measures, Maximum Entropy Principle and Emerging Applications. Studies in Fuzziness and Soft Computing, vol. 119, pp. 115–136. Springer, New York (2003)
Zhang, C., Zhang, G., Sun, S.: A mixed unsupervised clustering-based intrusion detection model. In: Proceedings of the 3rd International Conference on Genetic and Evolutionary Computing, pp. 426–428. IEEE Computer Society, USA (2009)
Zhang, J., Zulkernine, M.: Anomaly based network intrusion detection with unsupervised outlier detection. In: Proceedings of the IEEE International Conference on Communications, vol. 5, pp. 2388–2393 (2006)
Zhong, C., Li, N.: Incremental clustering algorithm for intrusion detection using clonal selection. In: Proceedings of the IEEE Pacific-Asia Workshop on Computational Intelligence and Industrial Application, pp. 326–331. IEEE Computer Society, Washington, DC (2008)
Zhu, X.: Semi-supervised learning literature survey. Tech. Rep. 1530, Department of Computer Sciences, University of Wisconsin-Madison (2005)
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Bhuyan, M.H., Bhattacharyya, D.K., Kalita, J.K. (2017). Networks and Network Traffic Anomalies. In: Network Traffic Anomaly Detection and Prevention. Computer Communications and Networks. Springer, Cham. https://doi.org/10.1007/978-3-319-65188-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-65188-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-65186-6
Online ISBN: 978-3-319-65188-0
eBook Packages: Computer ScienceComputer Science (R0)