Abstract:
Real-time Anomaly Detection Systems (ADSs) use packet sam-
pling to realize tra±c analysis at wire speeds. While recent
studies have shown that a considerable loss of anomaly detection
accuracy is incurred due to sampling, solutions to mitigate this
loss are largely unexplored. In this thesis, we propose a Progres-
sive Security-Aware Packet Sampling (PSAS) algorithm which
enables a real-time inline anomaly detector to achieve higher
accuracy by sampling larger volumes of malicious tra±c than
random sampling, while adhering to a given sampling budget.
High malicious sampling rates are achieved by deploying inline
ADSs progressively on a packet's path. Each ADS encodes a
binary score (malicious or benign) of a sampled packet into the
packet before forwarding it to the next hop node. The next hop
node then samples packets marked as malicious with a higher
probability. We analytically prove that under certain realistic
conditions, irrespective of the intrusion detection algorithm used
to formulate the packet score, PSAS always provides higher ma-
licious packet sampling rates. To empirically evaluate the pro-
posed PSAS algorithm, we simultaneously collect an Internet
tra±c dataset containing DoS and portscan attacks. Experi-
mental results using four existing anomaly detectors show that
PSAS, while having no extra communication overhead and ex-
tremely low complexity, allows these detectors to achieve signi¯-
cantly higher accuracies than those operating on random packet
samples.
