Anomaly Detection and Mitigation at Internet Scale: A Survey

  • Jessica Steinberger
  • Lisa Schehlmann
  • Sebastian Abt
  • Harald Baier
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7943)


Network-based attacks pose a strong threat to the Internet landscape. There are different possibilities to encounter these threats. On the one hand attack detection operated at the end-users’ side, on the other hand attack detection implemented at network operators’ infrastructures. An obvious benefit of the second approach is that it counteracts a network-based attack at its root. It is currently unclear to which extent countermeasures are set up at Internet scale and which anomaly detection and mitigation approaches of the community may be adopted by ISPs. We present results of a survey, which aims at gaining insight in industry processes, structures and capabilities of IT companies and the computer networks they run. One result with respect to attack detection is that flow-based detection mechanisms are valuable, because those mechanisms could easily adapt to existing infrastructures. Due to the lack of standardized exchange formats, mitigation across network borders is currently uncommon.


Anomaly Detection Anomaly Mitigation Internet Service Provider Network Security NetFlow Correlation 


  1. 1.
    Abt, S., Baier, H.: Towards efficient and privacy-preserving network-based botnet detection using netflow data. In: Proceedings of 9th International Network Conference, INC 2012, Port Elizabeth, South Africa (July 2012)Google Scholar
  2. 2.
    Maryam, F., Alireza, S., Sureswaran, R.: A Survey of Botnet and Botnet Detection. In: Proceedings of the 2009 Third International Conference on Emerging Security Information, Systems and Technologies, SECURWARE 2009, Washington DC, USA (2009)Google Scholar
  3. 3.
    Jing, L., Yang, X., Kaveh, G., Hongmei, D., Jingyuan, Z.: Botnet: classification, attacks, detection, tracing, and preventive measures. EURASIP Journal on Wireless Communications and Networking (February 2009)Google Scholar
  4. 4.
    Karen, S., Peter, M.: SP 800-94. Guide to Intrusion Detection and Prevention Systems (IDPS). Technical report, National Institute of Standards & Technology, Gaithersburg, MD, United States (February 2007)Google Scholar
  5. 5.
    van Eeten, M., Bauer, J.M., Asghari, H., Tabatabaie, S., Rand, D.: The Role of Internet Service Providers in Botnet Mitigation: An Empirical Analysis Based on Spam Data. In: The Tenth Workshop on the Economics of Information Security, WEIS 2010 (2010)Google Scholar
  6. 6.
    Prez, M.G., Mrmol, F.G., Prez, G.M., Gmez-Skarmeta, A.F.: RepCIDN: A Reputation-based Collaborative Intrusion Detection Network to Lessen the Impact of Malicious Alarms. Journal of Network and Systems Management 21(1) (March 2013)Google Scholar
  7. 7.
    Cisco Systems, Inc.: Netflow services solutions guide (January 2007),
  8. 8.
    François, J., Wang, S., State, R., Engel, T.: BotTrack: tracking botnets using NetFlow and PageRank. In: Domingo-Pascual, J., Manzoni, P., Palazzo, S., Pont, A., Scoglio, C. (eds.) NETWORKING 2011, Part I. LNCS, vol. 6640, pp. 1–14. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  9. 9.
    Bilge, L., Balzarotti, D., Robertson, W., Kirda, E., Kruegel, C.: DISCLOSURE: Detecting Botnet Command and Control Servers Through Large-Scale NetFlow Analysis. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC 2012, Orlando, FL USA (December 2012)Google Scholar
  10. 10.
    Bundesamt für Sicherheit in der Informationstechnik: IT Infrastructure Library (ITIL) und Informationssicherheit (2005),
  11. 11.
    International Organization for Standardization: Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2012), 2012 edn. (January 14, 2013)Google Scholar
  12. 12.
    Anstee, D., Bussiere, D., Sockrider, G., Morales, C.: Worldwide Infrastructure Security Report. Technical Report VII, Arbor Networks Inc. (January 2012),
  13. 13.
    Boschi, E., Mark, L., Quittek, J., Stiemerling, M., Aitken, P.: IP Flow Information Export (IPFIX) Implementation Guidelines. RFC 5153 (Informational) (April 2008),
  14. 14.
    Phaal, P., Lavine, M.: sFlow Version 5 (July 2004),
  15. 15.
    ENISA - European Network and Information Security Agency: Cert cooperation and its further facilitation by relevant stakeholders. Technical report, ENISA (December 2006),
  16. 16.
    Molina, M., Paredes-Oliva, I., Routly, W., Barlet-Ros, P.: Operational experiences with anomaly detection in backbone networks. Computers & Security 31(3), 273–285 (2012)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2013

Authors and Affiliations

  • Jessica Steinberger
    • 1
  • Lisa Schehlmann
    • 1
  • Sebastian Abt
    • 1
  • Harald Baier
    • 1
  1. 1.da/sec - Biometrics and Internet Security Research GroupHochschule DarmstadtDarmstadtGermany

Personalised recommendations