Anomaly detection systems are often deployed at network edges, where traffic volume is relatively low and network configuration information is readily available. We instead discuss detecting anomalies from the Internet backbone point of view. In the backbone, traffic is highly aggregated, resulting in much higher line speeds and wider diversity in IP address range. We present two techniques that target the core network. First, TAPS is a fast and effective port scan detection technique that uses sequential hypothesis testing to tag scanners. In its implementation, we use a probabilistic counting method to lower memory requirements. Second, we present a study on how traffic sampling, a widely used technique to generate traffic measurements for the core network, affects anomaly detection. We examine several existing sampling methods and conclude that sampling adversely impact the successful detection ratio of both volume anomalies and port scans. Among the schemes, random flow sampling performs the best and random packet sampling the worst. Notably, sampling schemes designed to aide in traffic matrix measurement performs poorly in anomaly detection.
Gates 4B (opposite 490)