 |
|
|||
| Authors: | Bernhard Tellenbach, Daniela Brauckhoff, Martin May |
| Group: | Communication Systems |
| Type: | Techreport |
| Title: | Impact of Traffic Mix and Packet Sampling on Anomaly Visibility |
| Year: | 2007 |
| Month: | June |
| Pub-Key: | Tell07a |
| Keywords: | Packet Sampling, Anomaly Visibility, Netflow Traffic, Large Scale, Entropy |
| Rep Nbr: | 275 |
| Abstract: | Packet sampling methods such as Cisco’s NetFlow are widely employed by large scale networks to reduce the amount of traffic data measured. A key problem with packet sampling is that it is inherently a lossy process, discarding potentially useful information. In this paper, we empirically evaluate the impact of traffic mix and packet sampling on anomaly visibility using traffic traces collected at four different border routers of a medium scale national ISP. These traffic traces consist of unsampled flow traces collected during the Blaster and Witty worm outbreak. We use our knowledge of the Blaster and Witty anomaly to establish a baseline of normal traffic against which we measured the size of the anomaly at various sampling rates. We analyze the traffic mix characteristics of the baseline traffic and use this knowledge to evaluate its impact on anomaly visibility. Our results confirm previous findings suggesting that entropy metrics are more resilient to packet sampling than volume metrics. But surprisingly, we find that simple metrics like unique destination port counts can be superior to entropy metrics even for sampling rates of 1 out of 10000. Furthermore, we find that traffic mix characteristics can compensate or even boost anomaly visibility in sampled views for sampling rates up to 1 out of 10000. |
| Location: | ETH Zürich |
| Resources: | [BibTeX] [Paper as PDF] |
