Two-stage selective sampling for anomaly detection: Analysis and evaluation

Androulidakis, G; Papavassiliou, S

dc.contributor.author	Androulidakis, G	en
dc.contributor.author	Papavassiliou, S	en
dc.date.accessioned	2014-03-01T01:37:30Z
dc.date.available	2014-03-01T01:37:30Z
dc.date.issued	2011	en
dc.identifier.issn	1939-0114	en
dc.identifier.uri	https://dspace.lib.ntua.gr/xmlui/handle/123456789/21530
dc.subject	Anomaly detection	en
dc.subject	Entropy	en
dc.subject	Sampling	en
dc.subject	Traffic measurements	en
dc.subject.other	Analysis and evaluation	en
dc.subject.other	Anomaly detection	en
dc.subject.other	Anomaly detection methods	en
dc.subject.other	Biased approximation	en
dc.subject.other	Essential component	en
dc.subject.other	Internet traffic monitoring	en
dc.subject.other	Malicious traffic	en
dc.subject.other	Network anomaly detection	en
dc.subject.other	Performance evaluation	en
dc.subject.other	Sampled data	en
dc.subject.other	Sampling method	en
dc.subject.other	Selective sampling	en
dc.subject.other	Traffic measurements	en
dc.subject.other	Traffic traces	en
dc.subject.other	Two stage	en
dc.subject.other	Two stage samplings	en
dc.subject.other	University campus	en
dc.subject.other	Entropy	en
dc.subject.other	Trace analysis	en
dc.title	Two-stage selective sampling for anomaly detection: Analysis and evaluation	en
heal.type	journalArticle	en
heal.identifier.primary	10.1002/sec.191	en
heal.identifier.secondary	http://dx.doi.org/10.1002/sec.191	en
heal.language	English	en
heal.publicationDate	2011	en
heal.abstract	Sampling has become an essential component of scalable Internet traffic monitoring and anomaly detection. This paper emphasizes on the analysis and evaluation of the impact of two-stage sampling (TSS) techniques on network anomaly detection. Through the positive exploitation of the fact that sampled traffic is an incomplete and simultaneously biased approximation of the underlying traffic trace, we propose and analyze an enhanced two-stage selective sampling approach, where an intelligent flow-based sampling method that focuses on the selection of small flows that are usually the source of malicious traffic, is adopted. The performance evaluation of the impact of TSS on the anomaly detection process is achieved through the use and application of an entropy-based anomaly detection method on a packet trace with data that has been collected from a real operational university campus network. The corresponding results demonstrate that the proposed approach improves and favors anomaly detection effectiveness, while at the same time reduces the number of sampled data, and in most cases achieves to even outperform the corresponding results of the unsampled case. Copyright © 2010 John Wiley & Sons, Ltd. In this paper the problem of studying and improving network anomaly detection effectiveness and efficiency through the application of two-stage selective sampling is considered. The evaluation of the proposed sampling method is based on a worm propagation scenario using an entropy-based anomaly detection method. Our experiments and results demonstrated that contrary to all other management functions, appropriate and intelligent sampling may facilitate the anomaly detection process and in several cases achieve even better anomaly detection effectiveness than the unsampled case. © 2010 John Wiley & Sons, Ltd.	en
heal.publisher	WILEY-BLACKWELL	en
heal.journalName	Security and Communication Networks	en
dc.identifier.doi	10.1002/sec.191	en
dc.identifier.isi	ISI:000290782500002	en
dc.identifier.volume	4	en
dc.identifier.issue	6	en
dc.identifier.spage	608	en
dc.identifier.epage	621	en