Performance Evaluation of Sketch Schemes on Traffic Anomaly Detection Accuracy

Abstract

Network monitoring for high-speed networks shared by an increasing amount of traffic has become a crucial issue. Especially, traffic anomaly detection technology for high-speed networks is one of the most important issues, because of the increasingly serious nature of cyber-attacks such as worms, port scans, and DDoS. This study focuses on the use of sketch schemes as data reduction methods for traffic anomaly detection. Previous studies on sketch schemes neglected to fully clarify the impact of the sketch parameters on the anomaly detection performance. This study verified the processing time and traffic anomaly detection accuracy with a sketch as a function of two sketch parameters: the number of hash functions and hash table size. The range of the two sketch parameters was clarified by determining the processing time and F-measure, which evaluates both the false positive and false negative rates.