Effect of sampling rate and monitoring granularity on anomaly detectability

Author

Ishibashi, Keisuke ; Kawahara, Ryoichi ; Tatsuya, Mori ; Kondoh, Tsuyoshi ; Asano, Shoichiro

Author_Institution

Inf. Sharing Platform Labs., NTT Corp., Musashino

fYear

2007

fDate

11-11 May 2007

Firstpage

25

Lastpage

30

Abstract

In this paper, we quantitatively evaluate how sampling decreases the detectability of anomalous traffic. We build equations to calculate the false positive ratio (FPR) and false negative ratio (FNR) for given values of the sampling rate, statistics of normal traffic, and volume of anomalies to be detected. We show that by changing the measurement granularity, we can detect anomalies even with a low sampling rate and give the equation to derive optimal granularity by using the relationship between the mean and variance of aggregated flows. With those equations, we can answer for the practical questions that arise in actual network operations; what sampling rate to set in order to find the given volume of anomaly, or, if the sampling is too high for actual operation, then what granularity is optimal to find the anomaly for a given lower limit of sampling rate.

Keywords

Internet; telecommunication security; telecommunication traffic; anomalous traffic; anomaly detectability; false negative ratio; false positive ratio; granularity monitoring; optimal granularity; sampling rate effect; Computer crime; Equations; IP networks; Informatics; Monitoring; Packet switching; Sampling methods; Statistics; Telecommunication traffic; Web and internet services;

fLanguage

English

Publisher

ieee

Conference_Titel

IEEE Global Internet Symposium, 2007

Conference_Location

Anchorage, AK

Print_ISBN

978-1-4244-1697-4

Type

conf

DOI

10.1109/GI.2007.4301426

Filename

4301426