IFS: Intelligent flow sampling for network security–an adaptive approach

Kód výsledku v IS VaVaI

<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F15%3A00230859" target="_blank" >RIV/68407700:21230/15:00230859 - isvavai.cz</a>

Výsledek na webu

<a href="http://onlinelibrary.wiley.com/doi/10.1002/nem.1902/full" target="_blank" >http://onlinelibrary.wiley.com/doi/10.1002/nem.1902/full</a>

DOI - Digital Object Identifier

<a href="http://dx.doi.org/10.1002/nem.1902" target="_blank" >10.1002/nem.1902</a>

Jazyk výsledku

angličtina

Název v původním jazyce

IFS: Intelligent flow sampling for network security–an adaptive approach

Popis výsledku v původním jazyce

In order to cope with an increasing volume of network traffic, flow sampling methods are deployed to reduce the volume of log data stored for monitoring, attack detection, and forensic purposes. Sampling frequently changes the statistical properties of the data and can reduce the effectiveness of subsequent analysis or processing. We propose two concepts that mitigate the negative impact of sampling on the data. Late sampling is based on a simple idea that the features used by the analytic algorithms can be extracted before the sampling and attached to the surviving flows. The surviving flows thus carry the representation of the original statistical distribution in these attached features. The second concept we introduce is that of adaptive sampling. Adaptive sampling deliberatively skews the distribution of the surviving data to overrepresent the rare flows or flows with rare feature values. This preserves the variability of the data and is critical for the analysis of malicious traffic, such as the detection of stealthy, hidden threats. Our approach has been extensively validated on standard NetFlow data, as well as on HTTP proxy logs that approximate the use-case of enriched IPFIX for the network forensics.

Název v anglickém jazyce

IFS: Intelligent flow sampling for network security–an adaptive approach

Popis výsledku anglicky

In order to cope with an increasing volume of network traffic, flow sampling methods are deployed to reduce the volume of log data stored for monitoring, attack detection, and forensic purposes. Sampling frequently changes the statistical properties of the data and can reduce the effectiveness of subsequent analysis or processing. We propose two concepts that mitigate the negative impact of sampling on the data. Late sampling is based on a simple idea that the features used by the analytic algorithms can be extracted before the sampling and attached to the surviving flows. The surviving flows thus carry the representation of the original statistical distribution in these attached features. The second concept we introduce is that of adaptive sampling. Adaptive sampling deliberatively skews the distribution of the surviving data to overrepresent the rare flows or flows with rare feature values. This preserves the variability of the data and is critical for the analysis of malicious traffic, such as the detection of stealthy, hidden threats. Our approach has been extensively validated on standard NetFlow data, as well as on HTTP proxy logs that approximate the use-case of enriched IPFIX for the network forensics.

Druh

J_x - Nezařazeno - Článek v odborném periodiku (Jimp, Jsc a Jost)

CEP obor

JC - Počítačový hardware a software

OECD FORD obor

—

Projekt

<a href="/cs/project/VG20122014079" target="_blank" >VG20122014079: Behaviorální detekce pokročilých útočníků v počítačových sítích</a><br>

Návaznosti

P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)

Rok uplatnění

2015

Kód důvěrnosti údajů

S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů

Název periodika

International Journal of Network Management

ISSN

1055-7148

e-ISSN

—

Svazek periodika

25

Číslo periodika v rámci svazku

5

Stát vydavatele periodika

US - Spojené státy americké

Počet stran výsledku

20

Strana od-do

263-282

Kód UT WoS článku

000360842100002

EID výsledku v databázi Scopus

2-s2.0-84941170376