Since the early days of the Internet, its security has been something of growing importance. As it is managed on many different levels (user, ISP, content provider, telephony, etc.), there have been different approaches to minimize threats. For example, users and content providers are primarily concerned with keeping their computers free of malware, to avoid compromise of personal information or resources.
ISPs take a different stance. They are concerned with keeping their clients as a whole free of malware, and free from becoming part of (or the target of) attacks, such as DDoS and spam. That is what traffic anomaly detection is concerned with. Anomaly detection is a challenging task, as there are a variety of anomalies that can occur within an ISP. Consequently there are a variety of systems that have been developed to pinpoint anomalies.
ASTUTE is a fairly recent system. Its detection is based on the assumption that, when router queues are not saturated, the total volume aggregated from different flows does not change much over time. Anomalies are thus detected based on deviations from this equilibrium. ASTUTE does well at finding when groups of flows simultaneously cause an increase of traffic, even when this increase is small. This would make it possible to classify traffic from Botnets. However, it does not do well at classifying large volume increases by one or a few flows. There are other detection methods, such as Wavelet or Kalman, that can do this. In practice, ASTUTE would work well in concert with one of these other detection methods, as each has its own benefits.
No comments:
Post a Comment