nac: Network anomaly classification tool
Abstract
The potential threat of network anomalies on Internet
has led to a constant effort by the research community to
design reliable detection methods. Detection is not enough, however,
because network administrators need additional information
on the nature of events occurring in a network. Several works
try to classify detected events or establish a taxonomy of known
events. But, these works are non-overlapping in terms of anomaly
type coverage. On the one hand, existing classification methods
use a limited set of labels. On the other hand, taxonomies often
target a single type of anomaly or, when they have wider scope,
fail to present the full spectrum of what really happens in the
wild.
We thus present a new taxonomy of network anomalies with
wide coverage of existing work. We also provide a set of signatures
that assign taxonomy labels to events. We present a preliminary
study applying this taxonomy with six years of real network traffic
from the MAWI repository. We classify previously documented
anomalous events and draw to main conclusions. First, the
taxonomy-based analysis provides new insights regarding events
previous classified by heuristic rule labeling. For example, some
RST events are now classified as network scan response and the
majority of ICMP events are split into network scans and network
scan responses. Moreover, some previously unknown events now
account for a substantial number of all UDP network scans,
network scan responses and port scans. Second, the number of
unknown events decreases from 20 to 10% of all events with the
proposed taxonomy as compared to the heuristic approach.
Download
Bibtex
@inproceedings{Mazel2014TRAC,
author = {Mazel, Johan and Fontugne, Romain and Fukuda, Kensuke},
title = {A Taxonomy of Anomalies in Backbone Network Traffic},
booktitle = {Proceedings of 5th International Workshop on TRaffic Analysis and Characterization},
pages={30-36},
year = {2014},
series = {TRAC 2014}
}