Daily Network Monitor

I came across a very interesting abstract for an IEEE Paper published by SprintLabs, called “Impact of Packet Sampling on Portscan Detection”.

Abstract—Packet sampling is commonly deployed in highspeed backbone routers to minimize resources used for network monitoring. It is known that packet sampling distorts traffic statistics and its impact has been extensively studied for traffic engineering metrics such as flow size and mean rate. However, it is unclear how packet sampling impacts anomaly detection, which has become increasingly critical to network providers. This paper is the first attempt to address this question by focusing on one common class of non-volume based anomalies, portscans, which are associated with worm/virus propagation.

Existing portscan detection algorithms fall into two general approaches: targetspecific and traffic profiling. We evaluated representative algorithms for each class, namely (a) TRWSYN that performs stateful traffic analysis, (b) TAPS that tracks connection pattern of scanners, and (c) Entropy-based traffic profiling. We applied these algorithms to detect portscans in both the original and sampled packet traces from a Tier-1 provider’s backbone network. Our results demonstrate that sampling introduces fundamental bias that degrades the effectiveness of these detection algorithms and dramatically increases false positives.

Through both experiments and analysis, we identify the traffic features critical for anomaly detection that are affected by sampling. Finally, using insight gained from this study, we show how portscan algorithms can be enhanced to be more robust to sampling.

One of the intereting questions answered by the paper is stated here:

“The impact of sampling has been extensively studied in terms of well known statistical metrics, e.g., mean rate and flow size distribution, from the perspective of determining the volume characteristics of the traffic as a whole . However, anomaly detection (e.g., worm scan detection) often depends on a diverse set of metrics such as address access pattern, connection status, and distinct per source behaviors. How packet sampling impacts these traffic features has not been previously addressed. This paper presents a first attempt to address this important open question: Does packet sampling distort or lose pertinent information from the original traffic profile that affects the effectiveness of existing anomaly detection techniques? If so, by how much?”

This entry was posted on Friday, December 15th, 2006 at 7:01 am and is filed under Network Management, Weird Science. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.