Title :
Effect of sampling rate and monitoring granularity on anomaly detectability
Author :
Ishibashi, Keisuke ; Kawahara, Ryoichi ; Tatsuya, Mori ; Kondoh, Tsuyoshi ; Asano, Shoichiro
Author_Institution :
Inf. Sharing Platform Labs., NTT Corp., Musashino
Abstract :
In this paper, we quantitatively evaluate how sampling decreases the detectability of anomalous traffic. We build equations to calculate the false positive ratio (FPR) and false negative ratio (FNR) for given values of the sampling rate, statistics of normal traffic, and volume of anomalies to be detected. We show that by changing the measurement granularity, we can detect anomalies even with a low sampling rate and give the equation to derive optimal granularity by using the relationship between the mean and variance of aggregated flows. With those equations, we can answer for the practical questions that arise in actual network operations; what sampling rate to set in order to find the given volume of anomaly, or, if the sampling is too high for actual operation, then what granularity is optimal to find the anomaly for a given lower limit of sampling rate.
Keywords :
Internet; telecommunication security; telecommunication traffic; anomalous traffic; anomaly detectability; false negative ratio; false positive ratio; granularity monitoring; optimal granularity; sampling rate effect; Computer crime; Equations; IP networks; Informatics; Monitoring; Packet switching; Sampling methods; Statistics; Telecommunication traffic; Web and internet services;
Conference_Titel :
IEEE Global Internet Symposium, 2007
Conference_Location :
Anchorage, AK
Print_ISBN :
978-1-4244-1697-4
DOI :
10.1109/GI.2007.4301426
