Active Metrology for Anomaly Detection in Internet Traffic
Independent thesis Advanced level (degree of Master (Two Years)), 20 credits / 30 HE creditsStudent thesis
The detection of anomalies occurring in a network is of great importance. Networks need to guarantee performance to their users as well as their security. The detection of anomalies needs to be done as quickly as possible to provide an appropriate response to the threat (block the trafﬁc of an attack, bring additional servers to answer a high demand). The thesis answers the question: can the detection of anomalies be done by using active monitoring?
Active monitoring is done by sending probe packets on a network to evaluate the state of the trafﬁc. Active monitoring generates an additional trafﬁc on the network. Several metrics can be measured but not all are interesting for the detection of anomalies.
Several detection methods have been developed over the years, and several categories exist. The supervised and semi-supervised algorithms need labeled data while unsupervised algorithms do not.
The thesis develops a solution using an active tool measuring the available bandwidth of a network and a statistical detection algorithm based on change point detection.
The solution has been tested on a controlled testbed against Denial of Service attacks (DoS) and shows promising results against them, but hasn’t been able to detect network scanning.
Place, publisher, year, edition, pages
2016. , TRITA EE 2016:028 p.
EES Examensarbete / Master Thesis, TRITA EE 2016:028
Electrical Engineering, Electronic Engineering, Information Engineering
IdentifiersURN: urn:nbn:se:kth:diva-187725OAI: oai:DiVA.org:kth-187725DiVA: diva2:931341
Stadler, Rolf, Professor