Effects of Sampling and Spatio/Temporal Granularity in Traffic Monitoring on Anomaly Detectability
Summary :
We quantitatively evaluate how sampling and spatio/temporal granularity in traffic monitoring affect the detectability of anomalous traffic. Those parameters also affect the monitoring burden, so network operators face a trade-off between the monitoring burden and detectability and need to know which are the optimal paramter values. We derive equations to calculate the false positive ratio and false negative ratio for given values of the sampling rate, granularity, statistics of normal traffic, and volume of anomalies to be detected. Specifically, assuming that the normal traffic has a Gaussian distribution, which is parameterized by its mean and standard deviation, we analyze how sampling and monitoring granularity change these distribution parameters. This analysis is based on observation of the backbone traffic, which exhibits spatially uncorrelated and temporally long-range dependence. Then we derive the equations for detectability. With those equations, we can answer the practical questions that arise in actual network operations: what sampling rate to set to find the given volume of anomaly, or, if the sampling is too high for actual operation, what granularity is optimal to find the anomaly for a given lower limit of sampling rate.
- Publication
- IEICE TRANSACTIONS on Communications Vol.E95-B No.2 pp.466-476
- Publication Date
- 2012/02/01
- Publicized
- Online ISSN
- 1745-1345
- DOI
- 10.1587/transcom.E95.B.466
- Type of Manuscript
- PAPER
- Category
- Internet
Authors
Keyword
Latest Issue
Copyrights notice of machine-translated contents
The copyright of the original papers published on this site belongs to IEICE. Unauthorized use of the original or translated papers is prohibited. See IEICE Provisions on Copyright for details.
Cite this
Copy
Keisuke ISHIBASHI, Ryoichi KAWAHARA, Tatsuya MORI, Tsuyoshi KONDOH, Shoichiro ASANO, "Effects of Sampling and Spatio/Temporal Granularity in Traffic Monitoring on Anomaly Detectability" in IEICE TRANSACTIONS on Communications,
vol. E95-B, no. 2, pp. 466-476, February 2012, doi: 10.1587/transcom.E95.B.466.
Abstract: We quantitatively evaluate how sampling and spatio/temporal granularity in traffic monitoring affect the detectability of anomalous traffic. Those parameters also affect the monitoring burden, so network operators face a trade-off between the monitoring burden and detectability and need to know which are the optimal paramter values. We derive equations to calculate the false positive ratio and false negative ratio for given values of the sampling rate, granularity, statistics of normal traffic, and volume of anomalies to be detected. Specifically, assuming that the normal traffic has a Gaussian distribution, which is parameterized by its mean and standard deviation, we analyze how sampling and monitoring granularity change these distribution parameters. This analysis is based on observation of the backbone traffic, which exhibits spatially uncorrelated and temporally long-range dependence. Then we derive the equations for detectability. With those equations, we can answer the practical questions that arise in actual network operations: what sampling rate to set to find the given volume of anomaly, or, if the sampling is too high for actual operation, what granularity is optimal to find the anomaly for a given lower limit of sampling rate.
URL: https://globals.ieice.org/en_transactions/communications/10.1587/transcom.E95.B.466/_p
Copy
@ARTICLE{e95-b_2_466,
author={Keisuke ISHIBASHI, Ryoichi KAWAHARA, Tatsuya MORI, Tsuyoshi KONDOH, Shoichiro ASANO, },
journal={IEICE TRANSACTIONS on Communications},
title={Effects of Sampling and Spatio/Temporal Granularity in Traffic Monitoring on Anomaly Detectability},
year={2012},
volume={E95-B},
number={2},
pages={466-476},
abstract={We quantitatively evaluate how sampling and spatio/temporal granularity in traffic monitoring affect the detectability of anomalous traffic. Those parameters also affect the monitoring burden, so network operators face a trade-off between the monitoring burden and detectability and need to know which are the optimal paramter values. We derive equations to calculate the false positive ratio and false negative ratio for given values of the sampling rate, granularity, statistics of normal traffic, and volume of anomalies to be detected. Specifically, assuming that the normal traffic has a Gaussian distribution, which is parameterized by its mean and standard deviation, we analyze how sampling and monitoring granularity change these distribution parameters. This analysis is based on observation of the backbone traffic, which exhibits spatially uncorrelated and temporally long-range dependence. Then we derive the equations for detectability. With those equations, we can answer the practical questions that arise in actual network operations: what sampling rate to set to find the given volume of anomaly, or, if the sampling is too high for actual operation, what granularity is optimal to find the anomaly for a given lower limit of sampling rate.},
keywords={},
doi={10.1587/transcom.E95.B.466},
ISSN={1745-1345},
month={February},}
Copy
TY - JOUR
TI - Effects of Sampling and Spatio/Temporal Granularity in Traffic Monitoring on Anomaly Detectability
T2 - IEICE TRANSACTIONS on Communications
SP - 466
EP - 476
AU - Keisuke ISHIBASHI
AU - Ryoichi KAWAHARA
AU - Tatsuya MORI
AU - Tsuyoshi KONDOH
AU - Shoichiro ASANO
PY - 2012
DO - 10.1587/transcom.E95.B.466
JO - IEICE TRANSACTIONS on Communications
SN - 1745-1345
VL - E95-B
IS - 2
JA - IEICE TRANSACTIONS on Communications
Y1 - February 2012
AB - We quantitatively evaluate how sampling and spatio/temporal granularity in traffic monitoring affect the detectability of anomalous traffic. Those parameters also affect the monitoring burden, so network operators face a trade-off between the monitoring burden and detectability and need to know which are the optimal paramter values. We derive equations to calculate the false positive ratio and false negative ratio for given values of the sampling rate, granularity, statistics of normal traffic, and volume of anomalies to be detected. Specifically, assuming that the normal traffic has a Gaussian distribution, which is parameterized by its mean and standard deviation, we analyze how sampling and monitoring granularity change these distribution parameters. This analysis is based on observation of the backbone traffic, which exhibits spatially uncorrelated and temporally long-range dependence. Then we derive the equations for detectability. With those equations, we can answer the practical questions that arise in actual network operations: what sampling rate to set to find the given volume of anomaly, or, if the sampling is too high for actual operation, what granularity is optimal to find the anomaly for a given lower limit of sampling rate.
ER -
FlyerIEICE has prepared a flyer regarding multilingual services. Please use the one in your native language.
English
