NOTE: It is an idea only. Rewrite it in your own words.
Q1. What is objective of this research paper?
SOLUTION
In this paper, we identify three major problems that hinder a systematic evaluation of flow-level anomaly detection systems. We discuss existing approaches that aim at overcoming these three problems, and identify their drawbacks. We propose an alternative approach for generating benchmark evaluation traces, namely synthetic generation of flow-level traffic traces, and discuss why and how this approach can provide a solution to the identified problems. The two main challenges with such an approach are to define normal and anomalous network behavior, and to find realistic models describing normal and anomalous traffic at the flow level. We discuss our ideas for defining normal and anomalous traffic, and specify the framework for a novel flow traffic model targeted at anomaly detection. Finally, we provide an initial design for a synthetic flow trace generator.
Q2. What are flaws in this research paper?
SOLUTION
Although several flow-based traffic models have been developed in previous work, we are not aware of a traffic model that meets all requirements specified in the last paragraph. The flow models proposed in all describe volume flow parameters, but they completely disregard spatial flow parameters such as IP addresses and ports. Consequently, these models are not suitable for evaluating anomaly detection systems which apply spatial aggregation metrics such as entropy. Additionally, several of the proposed models concentrate on describing the short-term behavior (at timescales of less than a minute) of flows. This contradicts our first requirement. Furthermore, the flow model proposed in is the only model that was designed for the specific purpose of testing anomaly detection systems. However, their proposed methodology for generating synthetic volume anomalies falls short in considering the interaction between anomalous and benign network traffic. Thus their model fails to meet the third requirement as specified above. As already mentioned, similar problems exist with evaluating anomaly detection systems operating at the packet level. The authors of applied synthetic generation of packet level traces that contain certain anomalies for evaluating the performance intrusion detection systems. Their model, however, is targeted at generating packet-level characteristics of attacks instead of anomalous backbone traffic.
Q3. Which type of methodology/approach/framework has been used in this research paper?
SOLUTION
Instead, we propose an alternative approach to address privacy-concerns, anomaly variability, and ground truth in evaluation traces: Synthetic generation of benchmark traces with the desired characteristics according to a flow level traffic model.
Q4. Which problems author has identified to resolve it?
SOLUTION
In this paper, we have identified three main challenges that hinder systematic evaluations of flow-level anomaly detection systems, namely privacy-concerns, anomaly variability, and ground truth in traffic traces.