Methods for Evaluating Anomaly Detection Systems


This project has started in June 2007 and finished in Spring 2010.


Prof. Dr. Ueli Maurer, Cryptography & Information Security Group, ETH
Daniela Brauckhoff, Cryptography & Information Security Group, ETH


Anomaly detection is a promising approach for detecting interesting events – such as malicious attacks or failures – in networks. Flow-based anomaly detection is an anomaly detection approach that operates on NetFlow data which is exported from today’s routers. Operating on flows instead of packets, this approach is highly scalable for fast network links and also applicable for encrypted traffic (since only packet headers are analyzed). Albeit it’s advantages, anomaly detection faces many challenges such as high false alarm rates or correct anomaly identification. The most basic problem, however, with intrusion detection systems in general are the insufficient evaluation methods – or more specifically the missing of suitable evaluation data.
The goal of this project is to develop improved methods for evaluating flow-based anomaly detection systems.


Daniela Brauckhoff, Xenofontas Dimitropoulos, Arno Wagner, Kavé Salamatian
Anomaly Extraction in Backbone Networks Using Association Rules

IMC’09: Internet Measurement Conference, Chicago, IL, USA, Nov, 2009.

Daniela Brauckhoff, Arno Wagner, Martin May
Flame: A Flow-level Anomaly Modeling Engine

Usenix Security, CSET Workshop, San Jose, CA, USA, July 2008.

Daniela Brauckhoff, Martin May, Bernhard Plattner
Flow-Level Anomaly Detection – Blessing or Curse?

IEEE INFOCOM 2007, Student Workshop, Anchorage, Alaska, USA, May, 2007.

Daniela Brauckhoff, Ulrich Fiedler, Bernhard Plattner

Towards Systematically Evaluating Flow-level Anomaly Detection Mechanisms
Workshop on Monitoring, Attack Detection and Mitigation (MonAM 2006), Tübingen, Germany, September, 2006.