Enabling Accurate Anomaly Detection Using Progressive Security-Aware Packet Sampling

Abstract

Real-time Anomaly Detection Systems (ADSs) use packet sam- pling to realize tra±c analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this thesis, we propose a Progres- sive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious tra±c than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher ma- licious packet sampling rates. To empirically evaluate the pro- posed PSAS algorithm, we simultaneously collect an Internet tra±c dataset containing DoS and portscan attacks. Experi- mental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and ex- tremely low complexity, allows these detectors to achieve signi¯- cantly higher accuracies than those operating on random packet samples.