Identificação da Componente de Tráfego de Ataque baseada em Discriminantes Estatísticos
Resumo
A caracterização da composição do tráfego da rede é um tema fundamental na elaboração de um projeto de rede. Todos os dimensionamentos de capacidade sejam de links, processadores, comutadores ou buffers, com o objetivo de obter níveis aceitáveis de serviço, tais como, atrasos de fila e perda de pacotes, dependem da composição do tráfego e da demanda que cada componente dessa composição impõe sobre os elementos da rede. Para estudar o efeito de ataques sobre a performance da rede, a primeira etapa consiste na identificação do volume de tráfego de ataque presente na carga de trabalho da rede. A abordagem apresentada neste trabalho utiliza um reduzido número de discriminantes estatísticos e análise de agrupamento para identificar a componente de ataque presente no tráfego da rede.Referências
Anderson, T. W. (1958). An Introduction to Multivariate Statistical Analysis. Ed. John Wiley Sons, NY.
Auld T. et al. (2007). Bayesian Neural Networks for Internet Traffic Classification. IEEE Transactions on Neural Networks.
Barford, P., Kline, J., Plonka, D., and Ron, A. (2002). A signal analysis of network traffic anomalies. In Internet Measurement Workshop.
Brutlag, J. (2000). Aberrant behavior detection in timeseries for network monitoring. In USENIX LISA.
Hussain, A., Heidemann, J., and Papadopoulos, C. (2003). A Framework for Classifying Denial of Service Attacks. In ACM SIGCOMM, Karlsruhe.
Jain, R. (1991). The Art of Computer Systems Performance Analysis. In John Wiley Sons, Inc.
Johnson, D. (1998). Applied Multivariate Methods for Data Analysis. In Brooks/Cole Publishing Co.
Jung, J., Krishnamurthy, B. and Rabinovich, M. (2002). Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In Proceedings of ACM WWW.
Jung, J., Paxson, V., Berger, A., and Balakrishnan, H. (2004). Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy.
Kaufman, L. and Rousseeuw, P. (1990). Finding Groups in Data: An Introduction to Cluster Analysis. In Wiley and Sons, Inc.
Kim, H. A. and Karp B. (2004). Autograph: Toward Automated, Distributed Worm Signature Detection. In Usenix Security Symposium, San Diego.
Kim, M. S., Kang, H. J., Hung, S. C., Chung, S. H., and Hong, J. W. (2004). A Flow-based Method for Abnormal Network Traffic Detection. In IEEE/IFIP Network Operations and Management Symposium, Seoul.
Lakhina, A., Crovella, M., and Diot, C. (2004a). Characterization of Network-Wide Anomalies in Traffic Flows. Technical Report BUCS-2004-020, Boston University.
Lakhina, A., Crovella, M., and Diot, C. (2004b). Diagnosing Network-Wide Traffic Anomalies. In ACM SIGCOMM, Portland.
Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In Proceedings of ACM SIGCOMM.
Menascé, D. and Almeida, V. (2002). Capacity Planning for Web Services. In Prentice Hall, New Jersey.
Mingoti, S. A. (2005). Análise de Dados através de Métodos de Estatística Multivariada: Uma Abordagem Aplicada. Ed.UFMG, Belo Horizonte, Brasil.
MOORE A. et al. (2003). Architecture of a Network Monitor. In Passive & Active Measurement Workshop (PAM).
Moore, A., Zuev, D., and Crogan, M. (2005). Discriminators for use in flow-based classification. RR-05.13 Department of Computer Science, University of London.
Moore, A. and Papagiannaki, K. (2005). Toward the Accurate Identification of Network Applications, In Proceedings of the Sixth Passive and Active Measurement Workshop (PAM), volume 3431, Springer-Verlag LNCS.
Portnoy, L., Eskin, E., and Stolfo, S. (2001). Intrusion detection with unlabeled data using clustering. In ACM Workshop on Data Mining Applied to Security (DMSA).
Roughan, M., Grif_n, T., Mao, Z. M., Greenberg, A., and Freeman, B. (2004). Combining Routing and Traffic Data for Detection of IP Forwarding Anomalies. In ACM SIGCOMM NeTs Workshop, Portland.
Schechter, S., Jung, J., and Berger, A. (2004). Fast Detection of Scanning Worm Infections. In Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolois, France.
Taylor, C. and Alves-Foss, J. (2000). Low Cost Network Intrusion Detection.
Taylor, C. and Alves-Foss, J. (2001). NATE: Network Analysis of Anomalous Traffic Events. In Proceedings New Security Paradigms Workshop.
Thottan, M. and Ji., C. (2003). Anomaly Detection in IP Networks. In IEEE Trans. Signal Processing (Special issue of Signal Processing in Networking), pages 2191.2204.
Zuev, D. and Moore, A. (2005). Internet Traffic Classification using Bayesian Analysis Techniques. ACM SIGMETRICS, Alberta, Canada.
Auld T. et al. (2007). Bayesian Neural Networks for Internet Traffic Classification. IEEE Transactions on Neural Networks.
Barford, P., Kline, J., Plonka, D., and Ron, A. (2002). A signal analysis of network traffic anomalies. In Internet Measurement Workshop.
Brutlag, J. (2000). Aberrant behavior detection in timeseries for network monitoring. In USENIX LISA.
Hussain, A., Heidemann, J., and Papadopoulos, C. (2003). A Framework for Classifying Denial of Service Attacks. In ACM SIGCOMM, Karlsruhe.
Jain, R. (1991). The Art of Computer Systems Performance Analysis. In John Wiley Sons, Inc.
Johnson, D. (1998). Applied Multivariate Methods for Data Analysis. In Brooks/Cole Publishing Co.
Jung, J., Krishnamurthy, B. and Rabinovich, M. (2002). Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In Proceedings of ACM WWW.
Jung, J., Paxson, V., Berger, A., and Balakrishnan, H. (2004). Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy.
Kaufman, L. and Rousseeuw, P. (1990). Finding Groups in Data: An Introduction to Cluster Analysis. In Wiley and Sons, Inc.
Kim, H. A. and Karp B. (2004). Autograph: Toward Automated, Distributed Worm Signature Detection. In Usenix Security Symposium, San Diego.
Kim, M. S., Kang, H. J., Hung, S. C., Chung, S. H., and Hong, J. W. (2004). A Flow-based Method for Abnormal Network Traffic Detection. In IEEE/IFIP Network Operations and Management Symposium, Seoul.
Lakhina, A., Crovella, M., and Diot, C. (2004a). Characterization of Network-Wide Anomalies in Traffic Flows. Technical Report BUCS-2004-020, Boston University.
Lakhina, A., Crovella, M., and Diot, C. (2004b). Diagnosing Network-Wide Traffic Anomalies. In ACM SIGCOMM, Portland.
Lakhina, A., Crovella, M., and Diot, C. (2005). Mining anomalies using traffic feature distributions. In Proceedings of ACM SIGCOMM.
Menascé, D. and Almeida, V. (2002). Capacity Planning for Web Services. In Prentice Hall, New Jersey.
Mingoti, S. A. (2005). Análise de Dados através de Métodos de Estatística Multivariada: Uma Abordagem Aplicada. Ed.UFMG, Belo Horizonte, Brasil.
MOORE A. et al. (2003). Architecture of a Network Monitor. In Passive & Active Measurement Workshop (PAM).
Moore, A., Zuev, D., and Crogan, M. (2005). Discriminators for use in flow-based classification. RR-05.13 Department of Computer Science, University of London.
Moore, A. and Papagiannaki, K. (2005). Toward the Accurate Identification of Network Applications, In Proceedings of the Sixth Passive and Active Measurement Workshop (PAM), volume 3431, Springer-Verlag LNCS.
Portnoy, L., Eskin, E., and Stolfo, S. (2001). Intrusion detection with unlabeled data using clustering. In ACM Workshop on Data Mining Applied to Security (DMSA).
Roughan, M., Grif_n, T., Mao, Z. M., Greenberg, A., and Freeman, B. (2004). Combining Routing and Traffic Data for Detection of IP Forwarding Anomalies. In ACM SIGCOMM NeTs Workshop, Portland.
Schechter, S., Jung, J., and Berger, A. (2004). Fast Detection of Scanning Worm Infections. In Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolois, France.
Taylor, C. and Alves-Foss, J. (2000). Low Cost Network Intrusion Detection.
Taylor, C. and Alves-Foss, J. (2001). NATE: Network Analysis of Anomalous Traffic Events. In Proceedings New Security Paradigms Workshop.
Thottan, M. and Ji., C. (2003). Anomaly Detection in IP Networks. In IEEE Trans. Signal Processing (Special issue of Signal Processing in Networking), pages 2191.2204.
Zuev, D. and Moore, A. (2005). Internet Traffic Classification using Bayesian Analysis Techniques. ACM SIGMETRICS, Alberta, Canada.
Publicado
30/06/2007
Como Citar
HOLANDA FILHO, Raimir; MAIA, J. E. Bessa; CARMO, Marcus F. F do.
Identificação da Componente de Tráfego de Ataque baseada em Discriminantes Estatísticos. In: WORKSHOP EM DESEMPENHO DE SISTEMAS COMPUTACIONAIS E DE COMUNICAÇÃO (WPERFORMANCE), 6. , 2007, Rio de Janeiro/RJ.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2007
.
p. 690-702.
ISSN 2595-6167.
