| Abstract: |
Is flow-level anomaly detection a blessing due to excellent detection rates or is it a curse due to high false positive rates? To this end, we cannot answer this question for mainly two
reasons: First, we still do not understand the flow-level characteristics and frequency of benign and malicious anomalies in full detail. And second, we have no means for assessing the power, in
terms of false positives and negatives, of flow-level anomaly detection. With our work, we aim at coming a bit closer to an answer. We base our work on a comprehensive threeyear data set of
unsampled NetFlow records from a mediumsized Swiss backbone network. From this data set, we extract flow-level characteristics of prevalent types of anomalies. Having this anomaly database, we
develop a methodology for injecting realistic and versatile anomalies in given background traffic. The result of our work is a tool for challenging and training flow-level anomaly detection
systems. |
