Estimativa de Holt-Winters para Detecção de Ataques em Redes WAN
Abstract
Attacks against networks and its services are permanent concerns for Internet service providers. Several methods for malicious traffic detection in WANs have been researched in the last years. This article evaluates a method based in the Holt-Winters forecasting algorithm to verify significant changes at the pattern of IP addresses and port numbers, normally affected in the presence of attacks. This work also proposes and evaluates the use of filters to increase the effectiveness of the method for the detection of attacks. Results confirm the usefulness of this proposal to detect malicious traffic related to a TCP SYN flood attack and to the propagation of the Slammer worm, both applied to real traffic samples from RNP's WAN backbone.
References
Androulidakis, G., Chatzigiannakis, V., Papavassiliou, S. (2009) “Network Anomaly Detection and Classification via Opportunistic Sampling”, IEEE Network, Volume 23, Issue 1.
Bogaerdt, A. V. D. (2008) “RRD Tutorial”, [link], acessado em 08/04/2009.
Brauckhoff, D., Salamatian, K., May, M. (2009) “Applying PCA for Traffic Anomaly Detection: Problems and Solutions”, Proceedings of IEEE INFOCOM 2009, Rio de Janeiro, BR.
Brutlag, J. D. (2000) “Aberrant Behavior Detection in Time Series for Network Monitoring”, Proceedings of the 14th Systems Administration Conference (LISA 2000).
Cisco Systems, Inc. (2008) “Netflow Services Solution Guide”, http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.pdf, acessado em 08/04/2009.
Lakhina, A., Crovella, M., and Diot, C. (2005) “Mining anomalies using traffic feature distributions”, Proceedings of the ACM SIGCOMM'2005, Philadelphia, PA, USA.
Lucena, S. C., Moura, A. S. (2009) “Análise de Estimadores EWMA e Holt-Winters para Detecção de Anomalias em Tráfego IP a partir de Medidas de Entropia”, VIII Workshop em Desempenho de Sistemas Computacionais e de Comunicação (WPerformance) 2009, Bento Gonçalves, RS, BR.
Paschalidis, I. C., Smaragdakis, G. (2009) “Spatio-Temporal Network Anomaly Detection by Assessing Deviations of Empirical Measures”, IEEE/ACM Transactions On Networking, Volume 17, Número 3.
Shannon, C. E. (1948) “A mathematical theory of communication”, Bell System Technical Journal, 27:379-423 and 623-656.
Silveira, F., Diot, C., Taft, N., Govindan, R. (2008) “Empirical Evaluation of NetworkWide Anomaly Detection”, Thomsom Technical Report, http://www.thlab.net/~fernando/papers/CR-PRL-2008-09-0004.pdf, acessado em 08/04/2009.
Ward, A., Glynn, P., Richardson, K. (1998) “Internet Service Performance Failure Detection”, ACM SIGMETRICS Performance Evaluation Review, Volume 26, Número 3.
Zonglin, L., Guangmin H., Xingmiao, Y., Dan Y. (2009) “Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis”, EURASIP Journal on Advances in Signal Processing, Volume 2009, Artigo Número 2.
Bogaerdt, A. V. D. (2008) “RRD Tutorial”, [link], acessado em 08/04/2009.
Brauckhoff, D., Salamatian, K., May, M. (2009) “Applying PCA for Traffic Anomaly Detection: Problems and Solutions”, Proceedings of IEEE INFOCOM 2009, Rio de Janeiro, BR.
Brutlag, J. D. (2000) “Aberrant Behavior Detection in Time Series for Network Monitoring”, Proceedings of the 14th Systems Administration Conference (LISA 2000).
Cisco Systems, Inc. (2008) “Netflow Services Solution Guide”, http://www.cisco.com/en/US/docs/ios/solutions_docs/netflow/nfwhite.pdf, acessado em 08/04/2009.
Lakhina, A., Crovella, M., and Diot, C. (2005) “Mining anomalies using traffic feature distributions”, Proceedings of the ACM SIGCOMM'2005, Philadelphia, PA, USA.
Lucena, S. C., Moura, A. S. (2009) “Análise de Estimadores EWMA e Holt-Winters para Detecção de Anomalias em Tráfego IP a partir de Medidas de Entropia”, VIII Workshop em Desempenho de Sistemas Computacionais e de Comunicação (WPerformance) 2009, Bento Gonçalves, RS, BR.
Paschalidis, I. C., Smaragdakis, G. (2009) “Spatio-Temporal Network Anomaly Detection by Assessing Deviations of Empirical Measures”, IEEE/ACM Transactions On Networking, Volume 17, Número 3.
Shannon, C. E. (1948) “A mathematical theory of communication”, Bell System Technical Journal, 27:379-423 and 623-656.
Silveira, F., Diot, C., Taft, N., Govindan, R. (2008) “Empirical Evaluation of NetworkWide Anomaly Detection”, Thomsom Technical Report, http://www.thlab.net/~fernando/papers/CR-PRL-2008-09-0004.pdf, acessado em 08/04/2009.
Ward, A., Glynn, P., Richardson, K. (1998) “Internet Service Performance Failure Detection”, ACM SIGMETRICS Performance Evaluation Review, Volume 26, Número 3.
Zonglin, L., Guangmin H., Xingmiao, Y., Dan Y. (2009) “Detecting Distributed Network Traffic Anomaly with Network-Wide Correlation Analysis”, EURASIP Journal on Advances in Signal Processing, Volume 2009, Artigo Número 2.
Published
2010-10-11
How to Cite
LUCENA, Sidney C. de; MOURA, Alex Soares de.
Estimativa de Holt-Winters para Detecção de Ataques em Redes WAN. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 157-170.
DOI: https://doi.org/10.5753/sbseg.2010.20585.
