Active Metrology for Anomaly Detection in Internet Traffic

(1)

IN DEGREE PROJECT ,

SECOND CYCLE, 30 CREDITS STOCKHOLM SWEDEN 2016,

Active Metrology

for Anomaly Detection in Internet Traffic

THOMAS FOUQUERAY

KTH ROYAL INSTITUTE OF TECHNOLOGY

(2)

(3)

Active Metrology for the Detection of Anomalies in Internet Traffic

THOMAS FOUQUERAY

Stockholm April 2016

Supervisor: Yann Labit, LAAS, Toulouse, France Examiner: Prof. Rolf Stadler

Laboratory of Communication Networks

School of Electrical Engineering

KTH Royal Institute of Technology

TRITA-EE 2016:028

(4)

(5)

Abstract

The detection of anomalies occurring in a network is of great importance. Net- works need to guarantee performance to their users as well as their security.

The detection of anomalies needs to be done as quickly as possible to provide an appropriate response to the threat (block the traffic of an attack, bring additional servers to answer a high demand). The thesis answers the question: can the detection of anomalies be done by using active monitoring?

Active monitoring is done by sending probe packets on a network to evaluate the state of the traffic. Active monitoring generates an additional traffic on the network. Several metrics can be measured but not all are interesting for the detection of anomalies.

Several detection methods have been developed over the years, and several categories exist. The supervised and semi-supervised algorithms need labeled data while unsupervised algorithms do not.

The thesis develops a solution using an active tool measuring the available bandwidth of a network and a statistical detection algorithm based on change point detection.

The solution has been tested on a controlled testbed against Denial of Ser- vice attacks (DoS) and shows promising results against them, but hasn’t been able to detect network scanning.

(6)

Introduction

Today’s networks keep growing in size, and at the same time the number of users of those networks. The service providers have to ensure that the performance of their networks is satisfying enough for all the users. The different usages made of the Internet, the streaming of content, the sharing of big files, the transportation of emails, need the networks to have high reliability and the guarantee of performance (in terms of bandwidth and reaction time for example). As a direct consequence of this tremendous increase of usages, the impact of network defects is increasing, and the anomalies are becoming more and more frequent.

An anomaly, either malicious like a Denial of Service attack or non-malicious like a flash crowd event, can disrupt an entire network. It can slow down the global network performance or impact specific targeted machines as servers to shut them down. The detection of an anomaly occurring on a network is of great importance, to ensure Quality of Service and the security of data, hardware and users.

Today’s methods for detecting anomalies rely mostly on supervised algorithms. Two families of such algorithms exist, signature-based, or anomaly detector. The issue with those algorithms is that they need prior knowledge, which can be difficult to gather. It is difficult and expensive to adapt them per- manently to detect new threats or new behaviors on the Internet. The use of alternate methods, called “unsupervised” is a possible solution to this issue.

All detection algorithms need information to work on. To gather information about the network, passive and active monitoring is used. Passive monitoring is done by specific hardware, for very precise measurements, or by installing software to capture traffic on a router for example. The passive monitoring saves information about the traffic that goes through the hardware. The information collected is then analyzed to detect abnormal behaviors or threats. Active monitoring is done by sending packets to probe the network. The traces of those packets are analyzed which provide information related to the network performance and behavior. The active tools can give a continuous vision in real time of the state of the network. Active monitoring generates additional traffic, but the tools are easy to implement and don’t need specific hardware to be used.

(9)

An investigation is to use active probing on the network to detect anomalies.

The work in this thesis aims to evaluate the capabilities of such a solution.

1.1 Problem presentation

The Quality of Service (QoS) is the capability of the networks to ensure per- formance to their users, for instance response time and bandwidth. Several metrics can evaluate the performance of a network. The metrology is the sci- ence of measuring those metrics. A network anomaly is a deviation from the normal behavior of the network. An anomaly occurring on a network influences and lowers the QoS of the network. An attack occurring on a network is an anomaly, but attacks are not the only anomalies that could occur: for example, a flash crowd event, which is the result of normal and harmless behaviors, is also an anomaly.

The objective of this thesis is to evaluate the capability to detect anomalies occurring on a network with unsupervised algorithms using data gathered with active metrology. When an anomaly happens, it has impact on the Inter- net traffic. If the anomalous traffic goes through a link that is being monitored by active metrology on a correctly chosen metric, the anomaly influences the measurement. The output of the active metrology is given to an appropriately chosen detection algorithm that will be able to detect the anomaly. The detection algorithm will work with a minimum of information, to be independent from the network it is working on.

Since active metrology has a direct effect on the network, the gathering of the data needs to be done carefully and the weight of the measurements on the network needs to be evaluated. A controlled testbed is used to evaluate the tools and algorithms first. Testing a solution using active metrology about anomalies on a real path can be dangerous since both the active metrology and the generation of anomalies can have great impact on the service quality.

1.2 Approach

The thesis explores a new way of doing detection of anomalies: gather the data with active metrology, and then treat the data with an unsupervised detection algorithm.

1.3 Contribution

The thesis answers the question: is it possible to use active metrology to perform detection of anomalies occurring on a network? The focus is made on the detection of DoS attacks, because they are easy to generate and the modification they induce on the available bandwidth is detectable (contrary to network scan). The thesis presents a solution using statistical detection to detect DoS attacks in a generated traffic on a controlled testbed and provides information on the limitations of the detection algorithm.

(10)

1.4 Outline

The thesis report is organized as follows. Chapter 2 presents the three main top- ics of the thesis, the network metrology, the network anomalies and statistical change detection, and gives definition and theoretical input about them. The chapter also presents several works related to the themes of the thesis. Chapter 3 describes the global objectives of the work and then presents the testbed that has been implemented for the experimental parts of the thesis. Chapter 4 is about the application of active metrology to detect anomalies in the traffic, and presents the results of the research that have been done on metrics that can be measured by active tools. This chapter gives the results of some experiments that have been conducted on active tools, and presents the tool Yaz, which will be used in the next parts. Once the capacities and the limitations of the tools have been approached, Chapter 5 introduces the choice of a method to effec- tuate the detection on the output of the active tool. Chapter 6 introduces the scenarios on which the detection algorithm coupled to the active tool have been evaluated and gives the results of the tests. Finally, Chapter 7 concludes the thesis, addresses its limitations, gives insight on tracks that were followed during the thesis but didn’t lead to convincing results and ends on future works that could be done on the subject.

(11)

Chapter 2

Background and Related Research

This section presents background knowledge on the subjects that will be approached in this report and cites several others papers related to the themes of the thesis. The first part is about measuring the performance of a network. The second part is about the anomalies that could occur in a network. The last part is about statistical change detection in a sequence of variables. The last part isn’t related directly to networking but will be used in the implementation of a detection algorithm, in Chapter 5.

2.1 Metrology

There are two ways of measuring metrics in a network: passively and actively.

Both have pros and cons.

2.1.1 Passive monitoring

Passive monitoring captures the traffic that goes through a machine, and saves a trace of the traffic. Passive metrology is often performed using specific hardware that needs to be set at a specific point in the network, configured, and maintained. Software solutions also perform passive metrology, like Tcpdump or Wireshark. The trace recorded can be of great size, and needs a lot of power and time to be analyzed. However, passive methods are very accurate and can give an exact vision of the network state if the traffic can be entirely recorded.

2.1.2 Active metrology

Active metrology consists in sending probe packets on a path of the network and then analyzing the state of the packets once they have traveled through the network. Statistical models are applied during the analysis to evaluate metrics.

Active metrology is done from a machine with a specific software. There are two

(12)

ways of doing active metrology: the sending of the packets and the computation of the information can be done on the same host, or on two different hosts.

There are also two families of active methods: cooperative ones, when the tool runs on both sides of the path, and non-cooperative methods, when the tool runs on only one machine (those methods use for example ICMP packets to get replies from the target). Active metrology has a range of possibilities less wide than passive metrology, for example it can’t gather information about the traffic on the packet level (IP addresses of the packets, protocols used...). The main drawback of active metrology is that it generates its own probe packets, which induces an additional load on the network, and can also possibly disturb the measurement itself. Attention needs to be given about this point to limit the traffic of the tool and its influence on the network.

Since active methods consist in getting the information from packets that have been specifically sent for the measurement, information about the other packets going through the links can’t be gathered. Active methods can get global information about the QoS of the network at a specific moment.

Comparative studies

Several studies present and compare active measurement tools. A selection of such studies is presented below.

In the study [1] from 2005 the authors give a broad insight in the possibilities offered by active metrology. They start by introducing active metrology. The survey then presents metrics that can be monitored with active methods. The study lists several active methods existing and gives names of tools applying those methods.

[2] focuses on bandwidth measurement with active methods. It presents active methods for computing the capacity of a link or a path, the available bandwidth of a path, and bulk transfer capacity (the maximum throughput achievable for a protocol using congestion control like TCP).

Several papers have done comparative studies on active measurement tools, especially on tools measuring the bandwidth (capacity and available bandwidth).

[3] and [4] present methods used to compute the capacity and the available bandwidth, and compare the performance of several tools available. The studies are more than ten years old but the tools they study are still in use today.

[5] is a more recent study that did a similar work.

The authors of [6] and [7] implement an infrastructure specialized in the evaluation of tools and compare in the papers several tools measuring available bandwidth.

Metrics, methods and tools presentation

The following metrics can be gathered with active methods: the capacity of a path or a link, the TCP throughput, the IP packet loss, the IP packet re-ordering, the round trip time, the one way delay, the jitter, the route and the available bandwidth.

(13)

For each metrics a definition of it, a quick description of the methods used to measure it, and a list of tools that can evaluate its value are given.

a. Capacity:

The capacity of a link is the maximum rate of information that can go through the link, in bits/sec. The capacity of a path is the capacity of the link with the smallest capacity. Two main methods exist to compute the capacity in a network: one for evaluating the link capacity and one for the capacity of a path.

To compute the capacities of links, the method called Variable Packet Size can be used [2]. This method is based on two hypotheses: the serialization delay (the time needed to put each bit of the packets on the link) is propor- tional to the size of the packet, and if enough packets are sent in a period of time, one of them won’t experience queuing delay. The serialization delay Dserialof a packet of size S going through one link of capacity C is linked to this capacity:

Dserial= S/C (2.1)

By sending several groups of packets, each group with a different size, to a router, the capacity to the router can be calculated. To try to avoid queuing delay, several packets of the same size are sent and the smallest round trip time is selected. One can refer to [1] for further explanation. Tools like Pathchar [8], Clink [9] or Pchar [10] implement this method. Such tools only need to be running at the sender side.

The Packet Pair Dispersion method [2] allows the end-to-end capacity of a path to be computed. A pair of packets of size S is sent with a delay between the sending of the packets, referred as in. After going through one link of capacity C, and if no packet has been inserted between the packets of the pair, the delay between the two packets is:

out= max( in, S/C) (2.2)

If the delay varies between the sending and the receiving, the capacity can be calculated. This formula can be applied to a longer path. Packet train composed of several packet pairs can also be used to improve the estimation.

Tools like Pathrate [11], or Netest [12] are implementations of the Packet Pair/Train Dispersion. The tools need to run at the sender and the receiver side.

b. TCP throughput:

The TCP throughput, also called Bulk Transfer Capacity (BTC), is the max- imum throughput that an application using the TCP protocol, which uses a congestion control protocol, can reach. The TCP throughput differs from the available bandwidth. A known tool is Treno [13] (just sender side), which simulates a TCP connection with UDP packets (it uses the TTL field to get answer from the target that represents the ACK packets). Iperf [14] can also give measurement of this metric, but it establishes a real TCP connection and needs to run on both sides, sender and receiver.

(14)

c. Packet Loss:

The packet loss is the percentage of sent packets that never reach their target and have been lost in the path. Very simply, the method consists in sending a certain number of packets and counting them at the other side of the path. Tools like Iperf [14], Owping [15], and Ping [16] can measure packet loss.

d. Packet re-ordering:

A tool that measures packet re-ordering analyses if the packets sent arrive at the receiver in the correct order. There are several definitions of packet re-ordering. The tool Owping [15] does measurement of re-ordering packet with UDP packets.

e. Round Trip Time (RTT):

The round trip time is the time needed to go back and forth between two points of the network. The best tool to measure it is the well-known Ping [16]. With only a pair of packets composed of a request packet and a reply packet, it gives the round trip time.

f. One Way Delay (OWD):

The one way delay is the time to go from the sender to the receiver. In general it’s different from half the round trip time. The time at which the packet is sent is subtracted from the time of arrival. The method requests the cooperation of a sending and a receiving machine. For the measure to make sense, the machines need to have synchronized and very stable clocks.

This is hard to get. A tool like Owping [15] is made to measure the one way delay.

g. Jitter:

The one way delay variation, also called jitter, is measured by calculating the variation of the one way delay among a stream of packets. Unlike the computation of the one way delay, the jitter doesn’t need synchronization of the clocks at the sender and receiver, since it’s a relative value. However, clock stability is essential. Iperf [14] does measurement of the jitter, and needs to run on the sender and receiver sides.

h. Route:

The route between two endpoints is the list of the routers between the two points, and can be easily obtained. The tool Traceroute [17] can give information about the route. It uses the Ping tool to trace a map of the routers between two points in a network, by sending request with growing Time To Live. More evolved tools like Tracetree exist. Tracetree probes the route to multiple targets at the same time while optimizing the number of probe packets sent. One can look at [18] for more information about this software. To get the route, a tool only needs to run at the sender side.

i. Available Bandwidth:

The available bandwidth of a link is the part of the capacity of a link that is not utilized. The available bandwidth of a path is the available bandwidth of the link that has the smallest available bandwidth on the path.

(15)

The available bandwidth of a path can be evaluated by many tools. There are two main models for computing the available bandwidth, the Probe Gap Model and the Probe Rate Model [1].

The Probe Gap Model sends one or more pairs of packets, and detects if the gap between the two departure times of the packets belonging to the same pair is identical to the gap between the two arrival times. The method links the gap difference with the queuing cross traffic at bottleneck links. With the gap difference and knowing the capacity of the path, the model infers the available bandwidth.

The Probe Rate Model relies on the concept of self-induced congestion. A train of packets is sent at a certain rate. The method consists in computing the time distance between the arrival times of two packets. If this rate is lower than the available bandwidth, this distance will remain the same for all the train of packets. If the rate is above the available bandwidth, congestion will happen, and the distance between arrival times will increase with each packet, while the packets wait more and more time at the congestion point. The sending rate is adapted depending on the results of the previous train. This method is accurate, but induces congestion. This can cause disruption and can affect the rest of the traffic.

The Probe Gap Model is less interesting, because it has some limitations:

the model doesn’t apply when the narrow link (smallest capacity) and the tight link (smallest available bandwidth) are two different links, and the model needs to know the capacity of the bottleneck link. Inside the Probe Rate Model exists two methods of measurement: the Self Loading Periodic Streams (SLoPS) and the Train of Packet Pair (TOPP).

The TOPP method sends several pair of packets of equal size L, each pair is sent at an increasing rate. The two packets of a pair are initially separated by T time units. The rate of arrival at the receiver side is measured. Along the path, the second packet will not be queued behind the first one if the available bandwidth A of the path respects the equation:

A > L/T (2.3)

If the available bandwidth is smaller, the second packet will be queued and the measured rate at the receiver will be smaller than the initial rate. By detecting the packet pairs for which the measured rate at the receiver begins to differ from the initial rate, an estimation of the available bandwidth can be made. The tool PTR [19] implements this methods and needs to run on both sides of the path.

The SLoPS method, introduced in [20], is the most interesting method for available bandwidth. When applying the SLoPS method, one sends a stream of packets of equal size at a certain rate R. If this rate is greater than the available bandwidth A, the jitter calculated at the receiver side will keep increasing. If the sending rate is lower than the available bandwidth, the jitter will be near zero and stable. Figures 2.1 and 2.2 (taken from [20]) illustrate this phenomenon. By modifying the rate of sending, one can estimate the available bandwidth as the rate for which the jitter starts to increase. Tools like Spruce [21], Pathload [22], pathChirp [23], Assolo [24] or Yaz [25]

implement this method, and they need to run on both sides of the path.

(16)

Figure 2.1: SLoPS: OWD variation when R < A [20].

Figure 2.2: SLoPS: OWD variation when R > A [20].

(17)

After this list of active methods and tools, several network anomalies that can occur on a network are presented.

2.2 Network Anomalies

Network anomalies are the consequences of deviation of the behaviors of actors in the network. They can have a serious impact on the QoS of a network.

2.2.1 Types of anomalies

There are two types of anomalies.

Anomalies coming from malicious behaviors are performed voluntarily to perturb the operation of a network or to gain access to machines without au- thorization. Malicious anomalies can be performed by a single machine, several machines, or even by using botnets. Two malicious behaviors are presented here:

a. Denial of Service

Attacks like Denial of Service (DoS) or Distributed DoS (DDoS) consist in flooding with requests a server to prevent it from answering to legitimate requests.

b. Network/Ports scanning

Network scanning and Ports scanning consist respectively in probing IP addresses (randomly chosen or targeted addresses) and port numbers to find working machines and open ports on those machines. Scanning can be used to choose the targets of a DoS attack or to find weaknesses and open doors in a network.

The second type of anomalies is caused by legitimate behaviors, like a flash crowd event: a suddenly increase in the number of requests sent to a server, all coming from normal users, can overload the server. This kind of event can happen to platforms that broadcast famous sport events, or to news site during important events (natural disasters, terrorist attacks. . . ).

2.2.2 Anomalies detection

Several methods have been developed to detect anomalies occurring in a network. They can be classified according to different characteristics: the input data (univariate, multi-variate), the training phase (supervised methods use training data with both anomalous and normal label, semi-supervised methods are only trained on normal data, and unsupervised methods doesn’t need labeled data), or the methods they implement.

(18)

Here is a quick presentation of several categories of detection methods:

a. Statistical detection

The assumption behind this method is that normal behavior occurs with a high probability and anomaly with a small probability, according to the model chosen to represent the system. A statistic test is applied to evaluate if a measurement belongs to the model representing the system. Two types of statistical detection exist: parametric, which needs knowledge about the distribution of the data and/or about the anomalies, and non-parametric, which doesn’t need to know the distribution. For example the histogram based method is part of the non-parametric statistical methods. Mahoney and Chan proposed three solutions, PHAD in [26] that works on the IP level, ALAD in [27] that works on the application level, and LERAD in [28] that adds learning rules to the previous works, all using statistical detection with a training phase.

b. Rule-based detection

Rule-based detection is part of the supervised anomaly detection algorithms and relies on sets of rules. Those rules can be used to define a normal behavior, and the behavior that doesn’t fit in this set will be detected as an anomaly, or be used to directly define anomalies. This method is very efficient for detecting known anomalies, however, it can be quite hard to obtain precise rules. Finally those methods don’t adapt well to new behavior or new threats on the network, since there can be a long delay between the occurrence of the new anomaly and the creation of new rules to detect the anomaly. A well-known tool applying rules-based detection is Snort [29].

The tool uses a set of hundreds of rules about the network traffic. The sets of rules are regularly updated.

c. Spectral analysis

The spectral analysis works on several parameters and makes the assumption that in a sub-space of lower dimension, it can be easy to distinguish the normal traffic from the anomalies. Many approaches use the Principal Component Analysis to find the subspace. The works in [30], or in [31] use PCA for detection of anomalies.

This method can be used in an unsupervised way. However, several metrics must be monitored and the complexity of the computation can be high.

d. Nearest neighbors methods

The assumption for this method is: normal data form dense neighborhood while anomalies are far away from their neighbors. The method uses a distance metric between two observations. Several distances have been used in different solutions, like the Euclidian distance, or the Hausdorff distance in [32].

The method gives an anomaly score to an observation. The distance to the k^thneighbor can be used as the anomaly score. The relative density around an observation can also be computed.

(19)

Those methods can be unsupervised. The computation complexity is high (O(n²)). If the anomalies have a dense neighborhood or the normal instance have low-density neighborhood, the efficiency of the method decreases greatly.

e. Clustering based detection

The clustering method consists in gathering data into clusters. The detection is made according to three different definitions: an anomaly doesn’t belong to any cluster; an anomaly is far away from the center of its nearest cluster;

the anomalies belong to low-density clusters. The complexity depends on what clustering algorithm is used. It can be used in an unsupervised man- ner. However, clustering isn’t made for detection, so the efficiency of these methods can vary. The authors of [33] developed an unsupervised tool for detection using clustering.

f. Information-theoretic

The method analyses the set of observations with information-theoretic measures such as the entropy. The anomalies are supposed to induce changes and irregularities in the measures. The complexity of exact methods can be exponential in the size of the data set but approximate methods with linear complexity have been developed. The detection capabilities of the method depend on the chosen measure. In [34], the solution uses different information-theoretic measures to detect anomalies.

g. Bayesian network

A Bayesian network is an acyclic graph. The nodes represent the variables of a system. In this graph is represented the probability for a variable to be in a state knowing the states of its parents. This method is part of supervised methods and needs perfect knowledge of the system to work. Paper [35]

performs anomaly detection using Bayesian networks.

h. Neural networks

Neural networks first train on a set of normal data to define the normal classes. When a new entry is given to the network, the entry is accepted if the network recognizes it, and the entry is labeled as normal. Otherwise the entry is labeled as anomalous. The system HIDE presented in [36] has been developed in a partnership with the US army and uses neural networks.

2.3 Statistical Change Point Detection

The non parametric statistical methods are interesting for detecting anomalies.

They may be a good choice to perform unsupervised detection on one dimensional data, with a low computational cost, contrary to other methods: rule- based methods, methods based on Bayesian networks and on neural networks are supervised methods; nearest neighbor methods can have a high computational cost; cluster methods and spectral analysis methods are made to work on multi-dimensional data.

The following section presents a method to detect change in the distribution of a sequence of data, in a non-parametric way, for statistical process control.

(20)

This can be applied to anomaly detection, if the anomaly occurring changes the distribution properties of the metric that is being monitored.

2.3.1 Change Point Model

Statistical process control aims to detect changes in the distribution of a process, for quality control in industrial process.

[37] proposes a statistical model called Change Point Model (CPM) for sta- tistical process control. A change point in a sequence of data is a point before which the sequence follows a certain distribution and after which the sequence follows a different distribution. This model is made to detect changes in the mean of a Gaussian distribution. Hawkins gives a solution to the batch problem, which is to find a change point in a sequence of fixed length, and to the sequential problem, which is to find a change point in a stream of data, potentially infinite. In [38], the authors extend the work done by Hawkins in [37]

to adapt it to find changes in the location (equivalent to a change in the mean) and in scale (change in the variance) in a non-parametric way, meaning on any distributions, without having knowledge on the distribution or on the potential change. In [39] extends the work again to include detection of arbitrary change on arbitrary distribution.

The next sections describe the way the Change Point Model solves the batch problem and the sequential problem.

Batch problem

The problem considers a sequence of n independent variables Xi. The model wants to answer the questions: is there a change point in the sequence?

For each j 2 [1, n], a two hypotheses test is applied, with the null hypothesis being that no change occurs, and the alternative hypothesis being that a change occurs.

H0: 8i 2 [1, n], Xi⇠ F H1: 9⌧ 2 [1, n] :

⇢ Xi⇠ F⁰, i ⌧ Xi⇠ F¹, i > ⌧

(2.4)

with F06= F¹.

A statistic test Tnmust be correctly chosen, depending on the parameters of the problem.

For each j 2 [1, n], the statistic test Tj,nis computed, standardized and the maximum values of those computed statistic tests is kept.

Tmax,n= max

j2[1,n](Tj,n) (2.5)

Then this Tmax,nis compared to a threshold hn. If the statistic test is higher, the null hypothesis is rejected, and a change point is detected. The point that maximizes the Tj,nis designated as the change point.

(21)

A satisfying false alarm probability ↵ is chosen by the user. The threshold hnis then chosen to ensure that:

P (Tmax,n> hn) = ↵ (2.6)

However, this means computing the distribution of Tmax,n, which generally doesn’t have an analytic form. Numerical simulation can be used to obtain the estimated value (Monte-Carlo simulations are used in [38]). The simulations to find the values of the thresholds can have a high computational cost, but once the values of the thresholds are computed, the values can be stored for future usage since they don’t depend on the distribution of the data.

Sequential problem

In the sequential problem, the change point isn’t tested on a finite length sequence, but on a stream of variables, potentially infinite. The change point detection is done each time a new value is received.

Two issues occur when treating a sequential problem:

1. The choice of the threshold to keep the false alarm probability at the chosen value ↵.

2. The computational cost which grows each time an observation is received.

For the threshold, instead of using one value, a sequence of thresholds is computed, and each time a new observation is received, the next value in the sequence is used. The thresholds are computed to verify the relation:

P (T1> h1) = ↵

P (Tt> ht|T^{t 1} h^{t 1}. . . T1 h¹) = ↵ (2.7) For the sequential problem, one prefers to talk about the Average Run Length, ARL0, which is the average number of observation received before a false alarm is raised, rather than ↵. A relation link the two values: ARL0 = 1/↵.

The computational issue is solved by Ross et al. by using properties of the test statistic that allow easy calculation of Ttknowing Tt 1.

2.3.2 Test statistics

The test statistics presented in [38] are able to find change in the mean or the scale of any distribution. A change in the scale is defined in [38] as follow:

the distribution Fbef ore before the change in scale becomes Faf ter after the change, with:

8x, F^{af ter}(x) = Fbef ore( x) (2.8)

(22)

The test statistics are:

a. Change in the mean of an arbitrary distribution: Mann-Whitney statistic U⌧ = X

xi2S

r(xi) (2.9)

b. Change in the scale of an arbitrary distribution: Mood statistic M⌧ = X

xi2S

(r(xi) n + 1

2 )² (2.10)

where ⌧ is the position of the observation in the sequence, for which the test statistic is computed, n is the size of the entire sequence, S is the sample of observations before the change point, r(xi) is the rank of xi in the entire sequence.

For those two statistics, Ross et al. give a solution to keep the computational cost constant for each round of the sequential problem, by discretizing old observations. The details of this solution are given in [38].

In [39] are presented two distributions to find arbitrary changes in any distribution, which use the computation of the empirical distributions before and after the changepoint:

a. Kolmogorov-Smirnov:

D⌧ = sup

x | bFB(x) FbA(x)| (2.11) b. Cramer-von-Mises:

W⌧ = Xn

i=1

| bFB(Xi) FbA(Xi)|² (2.12)

where X is the sequence of observations of size n, bFB(x) and bFA(x) are respectively the empirical distribution before and after the considered observation (observation number ⌧):

FbB(x) = 1

⌧ X⌧ i=1

I(Xi x); bFA(x) = 1

n ⌧

Xn i=⌧ +1

I(Xi x) (2.13)

with I(Xi x) = 1 if Xⁱ x, and I(Xⁱ x) = 0 if Xⁱ> x.

Example:

Here is a quick example to illustrate how the test statistics are used.

The following sequence of data is considered: 3, 5, 4, 2, 1, 12, 13, 14, 9, 10.

The question is: does the mean vary in the sequence? A batch problem needs to be solved, and the Mann-Whitney test statistic will be used. The ranks of the data are computed as well as the cumulative sums of the ranks U⁰, as it is illustrated in Table 2.1.

(23)

1 2 3 4 5 6 7 8 9 10

Data 3 5 4 2 1 12 13 14 9 10

Rank 3 5 4 2 1 8 9 10 6 7

U’ 3 8 12 14 15 23 32 42 48 55

Table 2.1: Computation of U’.

2 3 4 5 6 7 8

µU 11 16.5 22 27.5 33 38.5 44

U 14.67 19.25 22 22.92 22 19.25 14.67

U 0.78 1.02 1.70 2.61 2.13 1.48 0.52

Table 2.2: Computation of U.

The distribution of the Mann-Whitney test statistic in the case of the null hypothesis is known, as well as its mean and variance.

The mean value is:

µU = nS⇤ (n + 1)/2 (2.14)

and the standard deviation is:

U =p

nSnT⇤ (n + 1)/12 (2.15)

They are computed to standardized the statistic test value:

U =|(U⁰ µU⁰)/ U⁰| (2.16)

(nS is the size of the sample before the change, nT is the size of the sample after the change). The maximum absolute value of the different values computed is then compared to a threshold. This computation of U for each observation is illustrated in Table 2.2. The values for observations number 1, 9 and 10 are not shown (if one of the sample is empty or contained only one value, the change point question doesn’t have much sense).

The higher value for the computed statistics is obtained with observation number 5: U = 2.6111648 (the values in the array are approximated to fit in the page). Now, if the value of ↵ is set at ↵ = 0.001, the threshold is h = 2.611165: the maximum test statistic is inferior to the threshold, no change is detected. However, if the value of ↵ is set at ↵ = 0.01, then h = 2.558409 and the maximum value of the test statistic is higher than the threshold so the test will detect a change point and point out the observation number 5 as the change point.

The change point model presented here and its improvements give the possibility to detect change in a flow of data. The model can be applied with several test statistics, and some non-parametric tests have been presented. The different test statistic can detect different change in the distribution of data. This model can be applied to anomaly detection on a one dimensional metric, if the anomaly modifies the distribution of the metric.

(24)

2.4 Summary

This chapter has introduced the main themes of this thesis, the active metrology and the anomalies detection. Several metrics that can be actively measured and the tools that can measure them have been presented. Different methods of anomalies detection have also been introduced, and a particular method of statistical detection, the change point model, has been detailed.

The next chapter will present the objectives of the thesis, and the assumptions made. It will introduce the next parts and present the test environments used in the thesis.

(25)

Chapter 3

Objectives and test environment

3.1 Context and objectives

Many detection algorithms have been developed over the years. Most of them rely on supervised methods, which need to have precise knowledge about the characteristics of the anomalies and of the traffic on the Internet, to have efficient models. To obtain those models and have a database of anomalies’ sig- natures, for example, it necessitates a lot of work and once the database is ready, it is quite hard to keep up to date with the evolution of the traffic. Either new anomalies appear and can’t be detected or new ways of using the Internet are developed and modify deeply the traffic (for example the explosion of the streaming in the last few years). This is why unsupervised methods seem very interesting for future evolution in the domain. A detection solution requires precise data on the traffic. This data is hard to get, takes a lot of space to store, and it takes a long time to process the data.

The objective of this thesis is to develop a solution for the detection of anomalies in Internet traffic, using active metrology to gather the data and then treat the data with an unsupervised detection algorithm. Figure 3.1 shows the two themes of the thesis, active metrology and detection algorithm, and the questions the thesis aims to answer.

During the first part, the active metrology part, a study is first conducted to answer the questions: which metrics are measurable? Which methods exist to measure the metrics? What tools are available? Then comes the following question: which one can be useful to detect anomalies? The tools that seem the most relevant and interesting in terms of accuracy and measurement rate are tested a bit further. Finally one tool, Yaz, is kept, and further evaluations of its performance are made.

At this point, the data that can be gathered with an active probing tool is known. The form of the output and the modification that the anomalies induce on this output lead to the choice of the detection algorithm. A statistical change detection seems a good candidate, because it allows a change to be detected in

(26)

Figure 3.1: Problem Presentation.

sequences of data points. Non-parametric statistic allows unsupervised detection, and they can be easy to compute. A detection algorithm is implemented to work on the data gathered by the active tool. The data is gathered during experiments done on a testbed while anomalies are introduced. The efficiency of different algorithms is evaluated on two metrics: the detection rate (DR), the ratio of the number of attacks detected on the total of attacks launched, and the false alarm rate (FAR), the ratio of false alarms raised on the total of alarms raised (false and justified alarms).

The anomaly detection will be limited to DoS attacks: Network scanning doesn’t generate enough traffic, and flash crowd events are quite hard to simulate. Several assumptions are set to frame our research.

Assumption 1 is that the probe packets and the anomalies are going in the same direction on at least one link. During the experiments, the two traffics, of the anomaly and of the active tools, will interact inside at least one link while going in the same direction.

Assumption 2 is that the network is over-provisioned. The traffic is kept under 50% of the total capacity of the link, to avoid to affect too much legitimate traffic with the probing traffic, or even to clog the link for a long time.

Assumption 3 concerns the distribution of the traffic. The statistical parameters of the traffic vary slowly over time. Anomalies can induce sudden change on those parameters.

All the tests that are described in this thesis have been done on two testbed configurations. The two test environments used are presented next.

3.2 Test environment

3.2.1 Testbed in LaasNetexp

The first testbed used is implemented on a fully controlled environment. The laboratory LAAS (Laboratoire d’analyse et d’architecture des syst`emes - Informa- tion system analysis and architecture laboratory) in which this thesis has been

(27)

Figure 3.2: Representation of the platform LaasNetexp.

conducted possesses a platform composed of several machines (almost forty) that allow networks to be simulated on operational machines. A representation of the platform is given in Figure 3.2 and a description of this platform can be found in [40].

The machines on the platform have the following configuration: a processor Intel(R) Xeon(R) CPU 3050 at 2.13GHz and 2 Gbits DDR2 of Ram. They also have 4 network interfaces, and those interfaces can be linked through virtual networks to simulate a real network. The links between the machines have a capacity of 1 Gbits/sec.

The testbed used for the experiments during this thesis is composed of seven machines. A representation of this test network is represented in Figure 3.3.

There are seven computers linked to one another through six virtual networks.

Depending on the experiment that is performed, the role of a computer could vary, from being the sender or receiver of a probing tool, the generator of cross traffic or of anomalies, or simply a router.

There is obviously no traffic that goes naturally through this testbed. All the traffic has been generated through different configurations. This controlled testbed has been used for the evaluation of the active methods (in Chapter 4) and in the evaluation of the detection solution proposed in Chapter 5.

(28)

Figure 3.3: Testbed in LaasNetexp.

Figure 3.4: Route between Toulouse and Mont-de-Marsan.

3.2.2 Test on real path

Experiments on a real path have also been conducted. Those experiments have been set on the network Renater. This network links more than a thousand educational and research institutions and provides connectivity to the network G´EANT. The website of Renater [41] provides more information about the network.

The tests on Renater have been conducted between two machines, one in the laboratory LAAS, in Toulouse, and one at the University of Mont-de-Marsan, linked to Pau (around 200 km from Toulouse). The narrow link (the link with the smallest capacity) of the path between Toulouse and Mont-de-Marsan is situated at the Mont-de-Marsan side and has a capacity of 50 Mbits/sec.

A traceroute done between the machine in Toulouse and the one in Mont- de-Marsan gives the representation of the route in Figure 3.4. The machine at Mont-de-Marsan is behind a NAT so the IP addresses of the routers before it appears as the IP address of the machine from the Toulouse perspective.

Real traffic from real users goes through this network as well, and the traffic from the tests interacts with it. The experiments on a real path must be prepared with attention to avoid affecting other users of the path. Another issue is that the path isn’t known entirely, and the routers of the path can’t be controlled.

When a problem occurs during an experiment, it can be quite hard to find from where it comes.

This path has been used for experiments during the testing of tools, described in Section 4.2.

(29)

3.3 Summary

The objective of our work is to explore the possibility to use active metrology for detecting anomalies occurring on a network. This thesis explores the oppor- tunities to link active metrology algorithms with anomalies detection. The first part concerns the active metrology, in which a study on the capacity of existing probing methods to detect anomalies is done. The second part concerns the choice of a detection approach. The choice depends on the output of the first part. Two testbeds are used to perform the experiments.

The next chapter describes the research done to find active metrology methods and tools adapted for anomalies detection.

(30)

Chapter 4

Active metrology for detection

In this chapter the different methods and tools described in Section 2.1.2 are evaluated on their effectiveness to detect anomalies. Active tools have never been used for the detection of anomalies, so at first, the selection is made according to the results presented in the different papers that compare active tools (see Section 2.1.2), and then specific tools are evaluated on the testbed.

4.1 Selection of tools

This section firstly describes the metrics that can be helpful in the scope of detecting anomalies, like DoS attacks, network scanning or flash crowd events.

The capacity of a link can’t be modified by one of the anomalies mentioned above. The value of the measurement could be disrupted by an anomaly, but it seems very difficult to predict what changes could occur that will make possible the detection of the anomaly.

The route that packets will take between two endpoints isn’t changed if an anomaly occurs in the network. This metric isn’t useful for detection.

The TCP throughput is very dependent on the path (for example the rules of priority that are applied along the path) and is very specific since it applies to only one protocol. It also takes time to compute the TCP throughput. This metric doesn’t seem interesting either in our case.

Packet losses and packet re-ordering could happen if the path were totally flooded, but the assumption of the over-provisioned path make the probability of those events very low. Loss of packets or re-ordering are not likely to happen, and those metrics will not help.

Again, the assumption of over-provisioned network makes that the RTT, the OWD and the jitter are less influenced by the anomalies observed.

The available bandwidth is our final candidate. In the case of DoS attacks, the number of packets going through the network increases a lot during a short period of time. It has an effect on the available bandwidth, and the tool measur-

(31)

Tool Parameters Protocol Mean rate (Mbits/sec)

Iperf Rate = 200 Mbits/sec UDP 203

D-ITG

Exponential Distribution for inter- departure, mean rate 150000 pkts/sec Exponential Distribution for packets size, mean size 1000 Bytes

UDP 294

Table 4.1: Cross traffic parameters.

ing the available bandwidth might be able to detect quickly enough this drop. In the case of a flash crowd event, the available bandwidth will also be impacted, however it is complicated to simulate such an event, and, moreover, to differ- entiate it from DoS attacks only with the variation of the available bandwidth.

An anomaly like a network scanning doesn’t generate enough traffic to have an impact on the measurement of this metric.

As a conclusion, the focus is now on the available bandwidth metric, because it is directly impacted by anomalies like DoS attack. A few tools among the ones that measure the available bandwidth have been selected according to their evaluation in research papers like [3], [4], or [5]. The selection is made according to research papers, however there is no global and general evaluation of the tools. Most of them have been tested in fully controlled environments, and the test environments differ from one study to another. The result in those papers should be taken with precaution, that’s why further evaluations will be conducted. The selected tools are Assolo, which is described as a good tool in the paper [5], Pathload, which is supposed to be quite accurate [5], and Yaz which is presented as an improved Pathload [25].

4.2 Performance evaluation

The evaluation of the tools is led on the testbeds presented in Section 3.2. As a reminder: the links in the LaasNetexp testbed have a capacity of 1 Gbits/sec.

Two tools have been used to generate cross traffic on the LaasNetexp testbed during the experiments. The first one is Iperf [14], which is used to generate a constant UDP traffic at a fixed rate between two end points. The second tool is D-ITG [42]. This tool allows generating a UDP or TCP varying traffic. The tool takes as parameters a distribution for the inter-departure time between the packets and a distribution for the size of the packets. Here, only the exponential distribution has been used for both the inter-departure time and the size of the packets. Table 4.1 gives a summary of the cross traffics used.

Note: the measured mean rate of the cross traffic generated by D-ITG doesn’t always correspond to the selected rate (the computer on which the tool is running might have trouble to keep up with the rate that the tool is asking for).

(32)

Figure 4.1: Testbed for Pathload evaluation.

4.2.1 Evaluation of the Pathload tool

Tool description

Pathload have been introduced in 2002 in [20]. The current version of the tool is 1.3.2. It uses the SLoPS methods (Section 2.1.2) to give an interval estimation for the bandwidth, meaning it gives an upper bound and a lower bound between which the available bandwidth is supposed to be. The tool tries to give an interval estimation as small as possible.

Evaluation testbed

The evaluation is performed on the LaasNetexp testbed under the configuration represented in Figure 4.1.

The probing tool and the traffic generator need to run on a sending machine and a receiving machine. To avoid reducing the performance of one machine, the tools run on separate machines. The Pathload sender is launched on the computer 7 and the receiver on computer 2. Cross traffic is generated between computer 4 and computer 1. The probe packets interact with the cross traffic on the link between computer 3 and 2.

Scenario

Experiment 1: no traffic is generated.

Experiment 2: Pathload is confronted to the cross traffic generated by Iperf.

Experiment 3: Pathload is confronted to the cross traffic generated by D-ITG.

(33)

Results

Here is the output after launching Pathload against the different traffics:

Experiment 1:

Available bandwidth range : 1000.00 - 1090.91 (Mbps) Measurement latency is 2.42 sec

Experiment 2:

Experiment 3:

The first line of the output of the tool gives the interval estimation for the available bandwidth. The second line gives the time of the measurement, from the starting of the tool to the computation of the estimation.

The first thing to notice is that the tool gives only one measurement before stopping. This is an issue because monitoring needs to be in real time. It’s a big drawback to have to start it multiple times.

The measurement takes also quite some time to compute. Without cross traffic it takes almost 2.5 seconds. When there is cross traffic, the measurement time keeps increasing, and with varying cross traffic the measurement time is above 6 seconds. This is problematic because a higher measurement rate would be needed (if possible), to be able to spot anomalies that last for a few seconds.

Finally, the tool only gives an interval for the available bandwidth, and the accuracy of this area is too low: almost a 100 Mbits/sec window for the varying cross traffic.

To conclude Pathload is not a good candidate for this project.

4.2.2 Evaluation of the Assolo tool

Assolo has been introduced in 2009 in [43]. The tool also implements the SLoPS method. For each measurement, Assolo gives an estimation value and not an interval like Pathload.

Evaluation testbed

Assolo is evaluated on the same testbed as Pathload, see Figure 4.1.

Scenario

Experiment 1: no traffic, duration 20 sec.

(34)

0 200 400 600 800 1000 1200

0 2 4 6 8 10 12 14 16 18 20

Output (Mbits/sec)

Time (sec) Assolo output, no cross traffic

Figure 4.2: Assolo output with no traffic.

Experiment 2: Assolo is confronted to the cross traffic generated by Iperf, duration 20 sec.

Results

Experiment 1: Figure 4.2 gives the output of Assolo when there is no other traffic in the network, in function of the time. The X axis is the time in second and the Y axis is the Available bandwidth estimation of Assolo in Mbits/sec. A point represents the estimation of the available bandwidth computed by Assolo at a given time. It can be noticed that the tool has a starting phase that lasts for almost 8 seconds, during which the evaluation value regularly drops to a lower value than the expected one.

Experiment 2: Figure 4.3 gives the output of Assolo when Iperf is generating a traffic at 200 Mbits/sec in function of the time. The X axis is the time in second and the Y axis is the Available bandwidth estimation made by Assolo in Mbits/sec. A point represents the estimation of the available bandwidth computed by Assolo at a given time. A starting phase can also be observed in this figure.

We observe that Assolo has a high measurement rate, unlike Pathload.

However, the tool has some issues. The first issue is that the output of the tool takes some time to stabilize. It can be problematic to perform real time detection.

The main issue with Assolo is that the output doesn’t correspond to the expected value: without any traffic, the estimated values are often above the

(35)

0 200 400 600 800 1000 1200 1400

0 2 4 6 8 10 12 14 16 18 20

Output (Mbits/sec)

Time (sec)

Assolo output, cross traffic Iperf 200 Mb/s

Figure 4.3: Assolo output with traffic generated at 200 Mbits/sec by Iperf.

maximum capacity of the links, and with a traffic generated by Iperf, the estimates are even higher, when they should be lower (around 800 Mbits/sec). The bandwidth might be too high for the tool. The evaluation against varying traffic hasn’t been done.

To conclude, Assolo doesn’t fit our requirements either, because it has a long starting phase (almost 8 seconds) and the estimates it gives don’t seem to correspond to the actual available bandwidth value.

4.2.3 Evaluation of the Yaz tool

Yaz has been developed by J.Sommers who described it in [25], in 2006. Yaz also implements the SLoPS method.

Yaz is the most promising tool among the tested ones. The testbed and the test scenarios are different from the ones used for testing Assolo and Pathload.

The objectives of the evaluation of Yaz are to evaluate its accuracy and to set the values of its parameters. The evaluation on the real path has highlighted one of the issues when using a tool like Yaz: the additional load that the generated probe packets put on the network..

(36)

Figure 4.4: Testbed for Yaz evaluation.

Accuracy evaluation

The objective is to evaluate the accuracy of Yaz when probing traffic taking 0%

to 100% of the network bandwidth by computing the relative estimation error of Yaz.

Testbed: To evaluate the accuracy of Yaz, the testbed in LaasNetexp repre- sented in Figure 4.4 was used.

The Yaz sender is computer 7 and the receiver is computer 2. The traffic generated by Iperf streams from computer 5 to computer 1. A monitoring tool called bwm-ng [44] is launched on computer 4 to monitor the traffic going through the machine. This allows us to have an accurate value for the utilized bandwidth against which the output of Yaz will be evaluated.

Scenario: Iperf generates a traffic with a varying rate. Each 20 seconds, the rate parameter of Iperf will be increased by 50 Mbits/sec, starting from 0 and ending at 1000 Mbits/sec.

Figure 4.5 shows the output from measurements on computer 4. The Y axis is the rate monitored by the tool bwm-ng in Mbits/sec and the X axis is the time in sec. A point is the rate in Mbits/sec at which the traffic goes through the interface monitored by bwm-ng at a time t.

Results: Figure 4.6 gives the output of Yaz during the experiment. The Y axis is the output of Yaz in Mbits/sec and the X axis is the time in seconds. A point is the Yaz evaluation of the available bandwidth at a time t.

The relative error of Yaz is computed. The output of bwm-ng gives the utilized bandwidth, however it’s the value of the available bandwidth that is needed. To have the expected value for the available bandwidth, the maximum value that Iperf can reach is taken as the maximum achievable rate on the path.

Here the maximum value computed is Bmax = 987.001M bits/sec. Then the available bandwidth at a time t is:

At= Bmax Bt (4.1)

(37)

0 50 100 150 200 250 300 350 400 450 500 550 600 650 700 750 800 850 900 950 1000

0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400

Rate through computer 4 (Mbits/Sec)

Time (sec)

Rate of Iperf traffic going through computer 4

Figure 4.5: Profile measured with bwm-ng of the traffic generated by Iperf.

0 100 200 300 400 500 600 700 800 900 1000

0 20 40 60 80 100 120 140 160 180 200 220 240 260 280 300 320 340 360 380 400

Output (Mbits/sec)

Time (sec) Yaz output with Iperf cross traffic

Figure 4.6: Yaz output with traffic generated by Iperf with different rates.

(38)

Time [0,

20.5] [20.5,

40.5] [40.5,

60.5] [60.5,

81] [81,

101]

Aest 987 935 883 831 777

Time [101,

121] [121,

141.5] [141.5,

161.5] [161.5,

181.5] [181.5, 202]

Aest 728 675 619 568 520

Time [202,

222] [222,

242] [242,

262.5] [262.5,

282.5] [282.5, 303]

Aest 459 409 348 297 245

Time [303,

323] [323,

343.5] [343.5, 364] [364,

384] [384, 400]

Aest 193 139 90 37 0

Table 4.2: Average estimated available bandwidth in Mbits/sec.

Where Btis the utilized bandwidth at the time t.

One issue is that the time at which Yaz makes a measurement doesn’t correspond to a time at which bwm-ng probes the network interface. To avoid this issue, the mean value of the bwm-ng output is taken over the time during which the Iperf sending rate stays the same. The measurements made on transition points corresponding to changes in the Iperf sending rate are neglected.

For example, let’s consider the time during which Iperf rate is set at 50 Mbits/sec.

The interval of time corresponding to this rate is between 20 seconds and 40 seconds. The mean value of the output of bwm-ng between 20 seconds and 40 seconds is B50= 51.61M bits/sec. Then the estimated available bandwidth for this time interval is A50= Bmax B50= 935.4M bits/sec.

Table 4.2 gives the average estimated available bandwidth and the interval of time in seconds during which this value is valid.

For example if Yaz took a measure 218 seconds after the beginning of the experiment, the expected value for the available bandwidth is 459 Mbits/sec.

The absolute relative error ERof a measure made by Yaz at a time t is:

ER(t) =|A^{Y az}(t) Aest(t)|/A^est(t) (4.2) where AY az(t) is the evaluation value given by Yaz at the time t and Aest(t) is the expected value for the available bandwidth at the time t (see Table 4.2).

A point in Figure 4.7 represents the relative error of Yaz in percentage in function of the bandwidth that the generated traffic is using (in percentage of the total capacity of the link). Several points correspond to the same percentage of usage because a mean value for the estimated Available Bandwidth is taken for each interval of time during which the input parameter of Iperf doesn’t change.

The relative error stays below 5% for almost all the measurements. This is a good result. This is very interesting, because the more accurate and sensitive the probing tool is the easier the detection will be.

Figure 4.6 shows that when the rate of the traffic increases, the number of measurements that Yaz is able to compute per second decreases drastically. The

(39)

0 5 10 15 20 25 30

0 10 20 30 40 50 60 70 80 90 100

Relative error (%)

Bandwidth used (%) Relative error of Yaz

Figure 4.7: Relative error of Yaz.

assumption of an over-provisioned network will allow the measurement rate to stay high.

Finally, it is important to notice that since this experiment was made with a quite stable traffic, when the tool is confronted with real traffic, with a lot of variation over time, the tool might react differently.

Setting the parameters of Yaz

The values of several parameters of Yaz can be set when launching the tool. The choice of the values for two of this parameters, the size of the probe packets and the inter-stream spacing, is presented below.

a. The size of probe packets can be adjusted. Experimentally, it has an influence on the maximum bandwidth that Yaz can evaluate, and on the variance of the evaluation. For probe packets with a size above 5000 Bytes, Yaz can detect bandwidth superior to 1 Gbits/sec. Figure 4.8 shows the results of Yaz probing the network without traffic for 30 sec with a probe packet size of 5500 Bytes. The standard deviation of the output is above 142 Mbits/sec.

Figure 4.9 shows the output during the same experiment as before but with the size of probe packets set to 6000 Bytes. A point in Figures 4.8 and 4.9 represents the value of the measurement made by Yaz at a time t. The output value of Yaz with probe packets of 6000B is a lot more stable, with a standard deviation around 8 Mbits/sec.

Therefore, the value of the probe size has been set to 6000 Bytes for the experiments on the LaasNetexp testbed.

(40)

Figure 4.8: Yaz output with probe size set at 5500 Bytes.

Figure 4.9: Yaz output with probe size set at 6000 Bytes.

b. During a single measurement, Yaz sends several streams of packets. The time the tool waits between the sending of two streams is adjusted by the inter-stream spacing parameter. This parameter also adjusts the time during which Yaz waits between two rounds of measurement. This parameter has a direct impact on the number of measurements per second Yaz will be able to perform.

The setting of this parameter is done by compromising between the load that Yaz puts on the network and the number of measurements per second that the tool can make.

The average load that Yaz puts on the network and the number of measurement per seconds made by Yaz are measured for two different values of inter-stream spacing. For an inter-stream spacing of 50 ms, Yaz makes in average 1.4 measurements per second, with an average load of 9.5 Mbits/sec.

For the inter-stream spacing set at 20 ms, the tool gives 2.7 measures per second for an average load of 19 Mbits/sec. Compared to the capacity of the links, this is around 2% of the maximum bandwidth. This remains accept- able, and the inter-stream spacing will be set at 20 ms to have more data to give to the detection algorithm.

Active Metrology for Anomaly Detection in Internet Traffic