Abstract
Traffic anomalies are characterized by unusual and significant changes in a network traffic behavior. They can be malicious or unintentional. Malicious traffic anomalies can be caused by attacks, abusive network usage and worms or virus propagations. However unintentional ones can be caused by failures, flash crowds or router misconfigurations. In this paper, we present an anomaly detection system derived from the anomaly detection schema presented by Mei-Ling Shyu in [12] and based on periodic SNMP data collection. We have evaluated this system against some common attacks and found that some (Smurf, Sync flood) are better detected than others (Scan). Then we have made use of this system in order to detect traffic anomalies in the Tunisian National University Network (TNUN). For this, we have collected network traffic traces from the Management Information Base MIB of the central firewall of the TNUN network. After that, we calculated the inter-anomaly times distribution and the anomaly durations distribution. We showed that anomalies were prevalent in the TNUN network and that most anomalies lasted less than five minutes.
Chapter PDF
References
Barford, P., Plonka, D.: Characteristics of Network Traffic Flow Anomalies. In: Proceedings of ACM SIGCOMM Internet Measurement Workshop, San Francisco, CA (November 2001)
Brutlag, J.: Aberrant Behaviour Detection in Time Series for Network Monitoring. In: Proceeding of the USENIX Fourteenth System Administration Conference LISA XIV, new Orleans, LA (December 2000)
Lakhina, A., Crovella, M., Diot, C.: Characterisation of Network-Wide Anomalies in Traffic Flows. In: IMC 2004, Italy (October 2004)
Moore, D., Voelker, G., Savage, S.: Inferring Internet Denial of Service activity. In: Proceedings of the 2001 USENIX Security Symposium, Washington DC (August 2001)
Moore, D., Shannon, C., Brown, J.: Code-Red: a Case Study on the Spread and Victims of an Internet Worm. In: Internet Measurement Workshop, IMW (2002)
Moore, D., Paxson, V., Savage, S., Shannon, C., Staniford, S., Weaver, N.: Inside the Slammer Worm. In: Security and Privacy (July/August 2003)
Denning, D.E.: An Intrusion Detection Model. In: IEEE Transaction on Software Engineering (1987)
Pang, R., Yegneswaran, V., Barford, P., Paxon, V., Peterson, L.: Characteristics of Internet Background Radiation. In: IMC 2004, Italy (October 2004)
LANTRAFFIC, http://www.zti-telecom.com/
Lazarevic, A., Eroz, L., Kumar, V., Ozgur, A., Srivastava, J.: A Comparative Study of Anomaly Detection Schemes. In: Network Intrusion Detection, Proceeding of Third SIAM International Conference on Data Mining, San Francisco (2003)
Chhabra, P., John, A., Saran, H.: PISA: Automatic Extraction of Traffic Signatures. In: Fourth International Conference in Networking, Ontario, Canada (May 2005)
Shyu, M.-L., Chen, S.-C., Sarinnapakorn, K., Chang, L.: A Novel Anomaly Detection Scheme Based on Principal Component Classifier. In: Proceedings of the IEEE Foundations and New Directions of Data Mining Workshop, in conjunction with the Third IEEE International Conference on Data Mining (ICDM 2003), Melbourne, Florida, USA, pp. 172–179 (2003)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in Your Spare Time. In: Proc. USENIX Security Symposium 2002 (2002)
Yegneswaran, V., Barford, P., Ullrich, J.: Internet Intrusions: Global Characteristics and Prevalence. In: SIGMETRICS 2003, USA (June 2003)
Ipswitch Whatsup CNMS, http://www.ipswitch.com
Kompella, R., Singh, S., Varghese, G.: On Scalable Attack Detection in the Network. In: Internet Measurement Conference 2004, p. 187 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2006 IFIP International Federation for Information Processing
About this paper
Cite this paper
Ramah, K.H., Ayari, H., Kamoun, F. (2006). Traffic Anomaly Detection and Characterization in the Tunisian National University Network. In: Boavida, F., Plagemann, T., Stiller, B., Westphal, C., Monteiro, E. (eds) NETWORKING 2006. Networking Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless Communications Systems. NETWORKING 2006. Lecture Notes in Computer Science, vol 3976. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11753810_12
Download citation
DOI: https://doi.org/10.1007/11753810_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-34192-5
Online ISBN: 978-3-540-34193-2
eBook Packages: Computer ScienceComputer Science (R0)