On the combined use of sketches and CUSUM for Anomaly Detection

Anomaly-based Intrusion Detection is a key research topic in network security due to its ability to face unknown attacks and new security threats. Moreover, new solutions should cope with scalability issues derived from the growth of the Internet traffic. To this aim random aggregation through the use of sketches represents a powerful prefiltering stage that can be applied to backbone data traffic with a performance improvement wrt traditional static aggregations at subnet level. In the paper we apply the CUSUM algorithm at the bucket level to reveal the presence of anomalies in the current data and, in order to improve the detection rate, we correlate the data corresponding to traffic flows aggregation based on different fields of the network and transport level headers. As a side effect, the correlation procedure gives some hints on the typology of the intrusions since different attacks determine the variability of the statistics associated to specific header fields. The performance analysis, presented in this paper, demonstrates the effectiveness of the proposed approach, confirming the goodness of CUSUM as a change-point detection algorithm.