Coordinated Anomaly Detection and Characterization in Wide Area Network Flows

摘要

The ability to quickly and accurately identify anomalous behavior in computer networks is essential to assure that they perform efficiently safely and reliably. The current standard in anomaly detection technology is autonomous packet level analysis that uses simple thresholds or rules to generate alerts While these systems are effective in detecting and identifying some types of anomalous behavior, networks are still far from being robust or reliable. In this project, we are pursuing research initiatives aimed at developing the next generation of anomaly detection infrastructures, methods and toots Our initial efforts have focused in two areas - measurement and characterization of general types of anomalous traffic (misconfigurations, failures, flash crowds, etc), and measurement and characterization of malicious network traffic (intrusions and attacks) Our focus is the former has been on applying multi-resolution analysis to IP flow data collected at our campus border router. Our focus in the latter has bean on using intrusion data collected from a large number of networks to identify malicious activity Both efforts have resulted in tools and systems that we will continue to develop. Our future efforts will emphasize expansion and refinement of coordinated detection methods and wide deployment of these capabilities across the 1Pv4 address space as well as in the wireless domain.