{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T04:30:11Z","timestamp":1750307411196,"version":"3.41.0"},"reference-count":35,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2010,6,22]],"date-time":"2010-06-22T00:00:00Z","timestamp":1277164800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["SIGCOMM Comput. Commun. Rev."],"published-print":{"date-parts":[[2010,6,22]]},"abstract":"<jats:p>Real-time Anomaly Detection Systems (ADSs) use packet sampling to realize traffic analysis at wire speeds. While recent studies have shown that a considerable loss of anomaly detection accuracy is incurred due to sampling, solutions to mitigate this loss are largely unexplored. In this paper, we propose a Progressive Security-Aware Packet Sampling (PSAS) algorithm which enables a real-time inline anomaly detector to achieve higher accuracy by sampling larger volumes of malicious traffic than random sampling, while adhering to a given sampling budget. High malicious sampling rates are achieved by deploying inline ADSs progressively on a packet's path. Each ADS encodes a binary score (malicious or benign) of a sampled packet into the packet before forwarding it to the next hop node. The next hop node then samples packets marked as malicious with a higher probability. We analytically prove that under certain realistic conditions, irrespective of the intrusion detection algorithm used to formulate the packet score, PSAS always provides higher malicious packet sampling rates. To empirically evaluate the proposed PSAS algorithm, we simultaneously collect an Internet traffic dataset containing DoS and portscan attacks at three different deployment points in our university's network. Experimental results using four existing anomaly detectors show that PSAS, while having no extra communication overhead and extremely low complexity, allows these detectors to achieve significantly higher accuracies than those operating on random packet samples.<\/jats:p>","DOI":"10.1145\/1823844.1823846","type":"journal-article","created":{"date-parts":[[2010,6,29]],"date-time":"2010-06-29T13:02:22Z","timestamp":1277816542000},"page":"4-16","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":18,"title":["On mitigating sampling-induced accuracy loss in traffic anomaly detection systems"],"prefix":"10.1145","volume":"40","author":[{"given":"Sardar","family":"Ali","sequence":"first","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Irfan Ul","family":"Haq","sequence":"additional","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Sajjad","family":"Rizvi","sequence":"additional","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Naurin","family":"Rasheed","sequence":"additional","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Unum","family":"Sarfraz","sequence":"additional","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Syed Ali","family":"Khayam","sequence":"additional","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Fauzan","family":"Mirza","sequence":"additional","affiliation":[{"name":"National University of Sciences &amp; Technology (NUST), Islamabad, Pakistan"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2010,6,22]]},"reference":[{"key":"e_1_2_1_1_1","volume-title":"A Flow-based Method for Abnormal Network Traffic Detection,\" IEEE\/IFIP NOMS","author":"Kim M. S.","year":"2004","unstructured":"M. S. Kim , H. J. Kang , S. C. Hung , S. H. Chung , and J. W. Hong , \" A Flow-based Method for Abnormal Network Traffic Detection,\" IEEE\/IFIP NOMS , 2004 . M. S. Kim, H. J. Kang, S. C. Hung, S. H. Chung, and J. W. Hong, \"A Flow-based Method for Abnormal Network Traffic Detection,\" IEEE\/IFIP NOMS, 2004."},{"key":"e_1_2_1_2_1","doi-asserted-by":"publisher","DOI":"10.1145\/1080091.1080118"},{"key":"e_1_2_1_3_1","unstructured":"Cisco Anomaly Guard Module Homepage www.cisco.com\/en\/US\/products\/ps6235\/.  Cisco Anomaly Guard Module Homepage www.cisco.com\/en\/US\/products\/ps6235\/."},{"key":"e_1_2_1_4_1","unstructured":"Arbor Networks Peakflow-X Homepage http:\/\/www.arbornetworks.com\/en\/peakflow-x.html.  Arbor Networks Peakflow-X Homepage http:\/\/www.arbornetworks.com\/en\/peakflow-x.html."},{"key":"e_1_2_1_5_1","unstructured":"Endace NinjaBox Homepage http:\/\/www.endace.com\/ninjabox.html.  Endace NinjaBox Homepage http:\/\/www.endace.com\/ninjabox.html."},{"key":"e_1_2_1_6_1","unstructured":"FireEye Homepage http:\/\/www.fireeye.com\/.  FireEye Homepage http:\/\/www.fireeye.com\/."},{"key":"e_1_2_1_7_1","volume-title":"Adaptive random sampling for total load estimation,\" IEEE ICC","author":"Choi B. Y.","year":"2003","unstructured":"B. Y. Choi , J. Park , and Z. L. Zhang , \" Adaptive random sampling for total load estimation,\" IEEE ICC , 2003 . B. Y. Choi, J. Park, and Z. L. Zhang, \"Adaptive random sampling for total load estimation,\" IEEE ICC, 2003."},{"key":"e_1_2_1_8_1","doi-asserted-by":"publisher","DOI":"10.1145\/637201.637225"},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1145\/863955.863992"},{"key":"e_1_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/948205.948235"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2006.884027"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177102"},{"key":"e_1_2_1_13_1","doi-asserted-by":"crossref","unstructured":"G. Androulidakis V. Chatzigiannakis S. Papavassiliou M. Grammatikou V. Maglaris \"Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques \" IEEE MILCOM 2006.   G. Androulidakis V. Chatzigiannakis S. Papavassiliou M. Grammatikou V. Maglaris \"Understanding and Evaluating the Impact of Sampling on Anomaly Detection Techniques \" IEEE MILCOM 2006.","DOI":"10.1109\/MILCOM.2006.302407"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1177080.1177101"},{"key":"e_1_2_1_15_1","volume-title":"PacketScore: Statistics-based Overload Control against Distributed Denial-of-Service Attacks,\" IEEE INFOCOM","author":"Kim Y.","year":"2004","unstructured":"Y. Kim , W. C. Lau , M. C. Chuah , and H. J. Chao , \" PacketScore: Statistics-based Overload Control against Distributed Denial-of-Service Attacks,\" IEEE INFOCOM , 2004 . Y. Kim, W. C. Lau, M. C. Chuah, and H. J. Chao, \"PacketScore: Statistics-based Overload Control against Distributed Denial-of-Service Attacks,\" IEEE INFOCOM, 2004."},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1109\/JSAC.2006.877136"},{"key":"e_1_2_1_17_1","volume-title":"Detecting anomalies in network traffic using maximum entropy estimation,\" ACM IMC","author":"Gu Y.","year":"2005","unstructured":"Y. Gu , A. McCullum , and D. Towsley , \" Detecting anomalies in network traffic using maximum entropy estimation,\" ACM IMC , 2005 . Y. Gu, A. McCullum, and D. Towsley, \"Detecting anomalies in network traffic using maximum entropy estimation,\" ACM IMC, 2005."},{"key":"e_1_2_1_18_1","volume-title":"Fast detection of scanning worm infections,\" RAID","author":"Schechter S. E.","year":"2004","unstructured":"S. E. Schechter , J. Jung , and A. W. Berger , \" Fast detection of scanning worm infections,\" RAID , 2004 . S. E. Schechter, J. Jung, and A. W. Berger, \"Fast detection of scanning worm infections,\" RAID, 2004."},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/952532.952601"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/633025.633056"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/637201.637225"},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1145\/637201.637210"},{"key":"e_1_2_1_24_1","volume-title":"Fast portscan detection using sequential hypothesis testing,\" IEEE Symp S&P","author":"Jung J.","year":"2004","unstructured":"J. Jung , V. Paxson , A. W. Berger , and H. Balakrishnan , \" Fast portscan detection using sequential hypothesis testing,\" IEEE Symp S&P , 2004 . J. Jung, V. Paxson, A. W. Berger, and H. Balakrishnan, \"Fast portscan detection using sequential hypothesis testing,\" IEEE Symp S&P, 2004."},{"key":"e_1_2_1_25_1","volume-title":"Connection Port Scan Detection on the Backbone,\" IPCC Malware Workshop","author":"Sridharan A.","year":"2006","unstructured":"A. Sridharan , T. Ye , and S. Bhattacharyya , \" Connection Port Scan Detection on the Backbone,\" IPCC Malware Workshop , 2006 . A. Sridharan, T. Ye, and S. Bhattacharyya, \"Connection Port Scan Detection on the Backbone,\" IPCC Malware Workshop, 2006."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-69384-0_45"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2008.11.011"},{"key":"e_1_2_1_28_1","doi-asserted-by":"crossref","unstructured":"L. Huang X. Nguyen M. Garofalakis J. M. Hellerstein M. I. Jordan A. D. Joseph N. Taft \"Communication-Efficient Online Detection of Network-Wide Anomalies \" IEEE Infocom 2007.  L. Huang X. Nguyen M. Garofalakis J. M. Hellerstein M. I. Jordan A. D. Joseph N. Taft \"Communication-Efficient Online Detection of Network-Wide Anomalies \" IEEE Infocom 2007.","DOI":"10.1109\/INFCOM.2007.24"},{"key":"e_1_2_1_29_1","volume-title":"Sketch Guided Sampling-Using On-Line Estimates of Flow Size for Adaptive Data Collection,\" IEEE INFOCOM","author":"Kumar A.","year":"2006","unstructured":"A. Kumar and J. Xu , \" Sketch Guided Sampling-Using On-Line Estimates of Flow Size for Adaptive Data Collection,\" IEEE INFOCOM , 2006 . A. Kumar and J. Xu, \"Sketch Guided Sampling-Using On-Line Estimates of Flow Size for Adaptive Data Collection,\" IEEE INFOCOM, 2006."},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1145\/1282380.1282392"},{"key":"e_1_2_1_31_1","volume-title":"CSAMP: A System for Network-Wide Flow Monitoring,\" USENIX","author":"Sekar V.","year":"2008","unstructured":"V. Sekar , M. K. Reiter , W. Willinger , H. Zhang , R. R. Kompella , and D. G. Andersen , \" CSAMP: A System for Network-Wide Flow Monitoring,\" USENIX , 2008 . V. Sekar, M. K. Reiter, W. Willinger, H. Zhang, R. R. Kompella, and D. G. Andersen, \"CSAMP: A System for Network-Wide Flow Monitoring,\" USENIX, 2008."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1452520.1452551"},{"key":"e_1_2_1_33_1","unstructured":"DARPA Intrusion Detection Data Sets http:\/\/www.ll.mit.edu\/mission\/communications\/ist\/ corpora\/ideval\/ data\/index.html.  DARPA Intrusion Detection Data Sets http:\/\/www.ll.mit.edu\/mission\/communications\/ist\/ corpora\/ideval\/ data\/index.html."},{"key":"e_1_2_1_34_1","unstructured":"LBNL\/ICSI Dataset www.icir.org\/enterprise-tracing\/download.html.  LBNL\/ICSI Dataset www.icir.org\/enterprise-tracing\/download.html."},{"key":"e_1_2_1_35_1","unstructured":"Endpoint Dataset http:\/\/www.wisnet.seecs.edu.pk\/projects\/ENS\/DataSets.html.  Endpoint Dataset http:\/\/www.wisnet.seecs.edu.pk\/projects\/ENS\/DataSets.html."},{"key":"e_1_2_1_36_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-540-87403-4_19"}],"container-title":["ACM SIGCOMM Computer Communication Review"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1823844.1823846","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/1823844.1823846","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T11:39:32Z","timestamp":1750246772000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/1823844.1823846"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2010,6,22]]},"references-count":35,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2010,6,22]]}},"alternative-id":["10.1145\/1823844.1823846"],"URL":"https:\/\/doi.org\/10.1145\/1823844.1823846","relation":{},"ISSN":["0146-4833"],"issn-type":[{"type":"print","value":"0146-4833"}],"subject":[],"published":{"date-parts":[[2010,6,22]]},"assertion":[{"value":"2010-06-22","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}