Get access

Anomaly detection and response approach based on mapping requests

Authors

  • Ming Wan,

    1. Laboratory of Networked Control Systems, Shenyang Institute of Automation Chinese Academy of Sciences, Shenyang, China
    2. National Engineering Laboratory for Next Generation Internet Interconnection Devices, Beijing Jiaotong University, Beijing, China
    Search for more papers by this author
  • Hong-Ke Zhang,

    1. National Engineering Laboratory for Next Generation Internet Interconnection Devices, Beijing Jiaotong University, Beijing, China
    Search for more papers by this author
  • Tin-Yu Wu,

    Corresponding author
    1. Department of Computer Science and Information Engineering, National Ilan University, I-Lan, Taiwan
    • Correspondence: Tin-Yu Wu, Department of Computer Science and Information Engineering, National Ilan University, I-Lan, Taiwan.

      E-mail: tyw@niu.edu.tw

    Search for more papers by this author
  • Chi-Hsiang Lo

    1. Department of Computer Science and Information Engineering and Department of Electronic Engineering, National Ilan University, I-Lan, Taiwan
    Search for more papers by this author

ABSTRACT

There is an increasing consensus that the locator/identifier separation of IP address is necessary to resolve the scalability issues of current Internet routing architecture. After identifiers are separated from locators, an identifier-to-locator mapping service must be employed to map identifiers onto locators. From this point, this paper proposes an anomaly detection and response approach based on mapping requests. By using the cumulative sum algorithm for change point detection, this approach introduces the anomalous traffic detection of mapping requests to diagnose the aberrant network behaviors. Once alarming, two effective response methods can be chosen to control the anomalous attack traffic in real time. Furthermore, in order to decouple the mapping request traffic from the mapping cache, this approach not only takes into account the mapping cache timeout but also puts forward a practical mapping request threshold algorithm. In particular, our simulation results show that, compared with the anomaly detection approach based on network traffic, the proposed approach is more advantageous and efficient. In addition, we also discuss the possible false positive and false negative problems, which may be caused by some accidental phenomena. Copyright © 2014 John Wiley & Sons, Ltd.

Get access to the full text of this article

Ancillary