IFS: Intelligent flow sampling for network security–an adaptive approach
Identifikátory výsledku
Kód výsledku v IS VaVaI
<a href="https://www.isvavai.cz/riv?ss=detail&h=RIV%2F68407700%3A21230%2F15%3A00230859" target="_blank" >RIV/68407700:21230/15:00230859 - isvavai.cz</a>
Výsledek na webu
<a href="http://onlinelibrary.wiley.com/doi/10.1002/nem.1902/full" target="_blank" >http://onlinelibrary.wiley.com/doi/10.1002/nem.1902/full</a>
DOI - Digital Object Identifier
<a href="http://dx.doi.org/10.1002/nem.1902" target="_blank" >10.1002/nem.1902</a>
Alternativní jazyky
Jazyk výsledku
angličtina
Název v původním jazyce
IFS: Intelligent flow sampling for network security–an adaptive approach
Popis výsledku v původním jazyce
In order to cope with an increasing volume of network traffic, flow sampling methods are deployed to reduce the volume of log data stored for monitoring, attack detection, and forensic purposes. Sampling frequently changes the statistical properties of the data and can reduce the effectiveness of subsequent analysis or processing. We propose two concepts that mitigate the negative impact of sampling on the data. Late sampling is based on a simple idea that the features used by the analytic algorithms can be extracted before the sampling and attached to the surviving flows. The surviving flows thus carry the representation of the original statistical distribution in these attached features. The second concept we introduce is that of adaptive sampling. Adaptive sampling deliberatively skews the distribution of the surviving data to overrepresent the rare flows or flows with rare feature values. This preserves the variability of the data and is critical for the analysis of malicious traffic, such as the detection of stealthy, hidden threats. Our approach has been extensively validated on standard NetFlow data, as well as on HTTP proxy logs that approximate the use-case of enriched IPFIX for the network forensics.
Název v anglickém jazyce
IFS: Intelligent flow sampling for network security–an adaptive approach
Popis výsledku anglicky
In order to cope with an increasing volume of network traffic, flow sampling methods are deployed to reduce the volume of log data stored for monitoring, attack detection, and forensic purposes. Sampling frequently changes the statistical properties of the data and can reduce the effectiveness of subsequent analysis or processing. We propose two concepts that mitigate the negative impact of sampling on the data. Late sampling is based on a simple idea that the features used by the analytic algorithms can be extracted before the sampling and attached to the surviving flows. The surviving flows thus carry the representation of the original statistical distribution in these attached features. The second concept we introduce is that of adaptive sampling. Adaptive sampling deliberatively skews the distribution of the surviving data to overrepresent the rare flows or flows with rare feature values. This preserves the variability of the data and is critical for the analysis of malicious traffic, such as the detection of stealthy, hidden threats. Our approach has been extensively validated on standard NetFlow data, as well as on HTTP proxy logs that approximate the use-case of enriched IPFIX for the network forensics.
Klasifikace
Druh
J<sub>x</sub> - Nezařazeno - Článek v odborném periodiku (Jimp, Jsc a Jost)
CEP obor
JC - Počítačový hardware a software
OECD FORD obor
—
Návaznosti výsledku
Projekt
<a href="/cs/project/VG20122014079" target="_blank" >VG20122014079: Behaviorální detekce pokročilých útočníků v počítačových sítích</a><br>
Návaznosti
P - Projekt vyzkumu a vyvoje financovany z verejnych zdroju (s odkazem do CEP)
Ostatní
Rok uplatnění
2015
Kód důvěrnosti údajů
S - Úplné a pravdivé údaje o projektu nepodléhají ochraně podle zvláštních právních předpisů
Údaje specifické pro druh výsledku
Název periodika
International Journal of Network Management
ISSN
1055-7148
e-ISSN
—
Svazek periodika
25
Číslo periodika v rámci svazku
5
Stát vydavatele periodika
US - Spojené státy americké
Počet stran výsledku
20
Strana od-do
263-282
Kód UT WoS článku
000360842100002
EID výsledku v databázi Scopus
2-s2.0-84941170376