Abstract
Internet traffic anomalies are a serious problem that compromises the availability of optimal network resources. Numerous anomaly detectors have recently been proposed, but maintaining their parameters optimally tuned is a difficult task that discredits their effectiveness for daily usage. This article proposes a new anomaly detection method based on pattern recognition and investigates the relationship between its parameter set and the traffic characteristics. This analysis highlights that constantly achieving a high detection rate requires continuous adjustments to the parameters according to the traffic fluctuations. Therefore, an adaptive time interval mechanism is proposed to enhance the robustness of the detection method to traffic variations. This adaptive anomaly detection method is evaluated by comparing it to three other anomaly detectors using four years of real backbone traffic. The evaluation reveals that the proposed adaptive detection method outperforms the other methods in terms of the true positive and false positive rate.
- CoralReef. http://www.caida.org/tools/measurement/coralreef/.Google Scholar
- A. B. Ashfaq, M. Javed, S. A. Khayam, and H. Radha. An information-theoretic combining method for multi-classifier anomaly detection systems. ICC '10, page 5, 2010.Google ScholarCross Ref
- P. Borgnat, G. Dewaele, K. Fukuda, P. Abry, and K. Cho. Seven years and one day: Sketching the evolution of internet traffic. INFOCOM '09, pages 711--719, 2009.Google ScholarCross Ref
- D. Brauckhoff, X. Dimitropoulos, A. Wagner, and K. Salamatian. Anomaly extraction in backbone networks using association rules. IMC '09, pages 28--34, 2009. Google ScholarDigital Library
- K. Cho, K. Mitsuya, and A. Kato. Traffic data repository at the WIDE project. In USENIX 2000 Annual Technical Conference: FREENIX Track, pages 263--270, 2000. Google ScholarDigital Library
- G. Dewaele, K. Fukuda, P. Borgnat, P. Abry, and K. Cho. Extracting hidden anomalies using sketch and non gaussian multiresolution statistical detection procedures. SIGCOMM LSAD '07, pages 145--152, 2007. Google ScholarDigital Library
- R. O. Duda and P. E. Hart. Use of the hough transformation to detect lines and curves in pictures. Commun. ACM, 15(1):11--15, 1972. Google ScholarDigital Library
- R. Fontugne, P. Borgnat, P. Abry, and K. Fukuda. MAWILab: Combining diverse anomaly detectors for automated anomaly labeling and performance benchmarking. CoNEXT '10, 2010. Google ScholarDigital Library
- R. Fontugne and K. Fukuda. A Hough-transform-based anomaly detector with an adaptive time interval. ACM SAC '11, pages 468--474, 2011. Google ScholarDigital Library
- R. Fontugne, Y. Himura, and K. Fukuda. Evaluation of anomaly detection method based on pattern recognition. IEICE Trans. on Commun., E93-B(2):328--335, February 2010.Google Scholar
- K. Fukuda and R. Fontugne. Estimating speed of scanning activities with a hough transform. ICC '10, page 5, 2010.Google ScholarCross Ref
- Y. Himura, K. Fukuda, K. Cho, and H. Esaki. An automatic and dynamic parameter tuning of a statistics-based anomaly detection algorithm. ICC '09, page 6, 2009. Google ScholarDigital Library
- Y. Kanda, K. Fukuda, and T. Sugawara. An evaluation of anomaly detection based on sketch and PCA. GLOBECOM '10, 2010.Google ScholarCross Ref
- A. Lakhina, M. Crovella, and C. Diot. Mining anomalies using traffic feature distributions. SIGCOMM '05, pages 217--228, 2005. Google ScholarDigital Library
- H. Ringberg, A. Soule, J. Rexford, and C. Diot. Sensitivity of PCA for traffic anomaly detection. SIGMETRICS Perform. Eval. Rev., 35(1):109--120, 2007. Google ScholarDigital Library
- F. Silveira and C. Diot. Urca: pulling out anomalies by their root causes. INFOCOM'10, pages 722--730, 2010. Google ScholarDigital Library
- F. Silveira, C. Diot, N. Taft, and R. Govindan. Astute: detecting a different class of traffic anomalies. SIGCOMM Comput. Commun. Rev., 40:267--278, August 2010. Google ScholarDigital Library
- A. Soule, H. Ringberg, F. Silveira, and C. Diot. Challenging the supremacy of traffic matrices in anomaly detection. IMC '07, pages 105--110, 2007. Google ScholarDigital Library
- K. Xu, Z.-L. Zhang, and S. Bhattacharyya. Internet traffic behavior profiling for network security monitoring. IEEE/ACM Trans. Netw., 16(6):1241--1252, 2008. Google ScholarDigital Library
Index Terms
- A Hough-transform-based anomaly detector with an adaptive time interval
Recommendations
A Hough-transform-based anomaly detector with an adaptive time interval
SAC '11: Proceedings of the 2011 ACM Symposium on Applied ComputingInternet traffic anomalies are a serious problem that compromise the availability of optimal network resources. Numerous anomaly detectors have recently been proposed, but maintaining their parameters optimally tuned is a difficult task that discredits ...
An image processing approach to traffic anomaly detection
AINTEC '08: Proceedings of the 4th Asian Conference on Internet EngineeringThis paper discusses the possibility of applying an image-processing technique to detecting anomalies in Internet traffic, which is different from traditional techniques of detecting anomalies. We first demonstrate that anomalous packet behavior in ...
Deep learning for anomaly detection in multivariate time series: Approaches, applications, and challenges
AbstractAnomaly detection has recently been applied to various areas, and several techniques based on deep learning have been proposed for the analysis of multivariate time series. In this study, we classify the anomalies into three types, ...
Highlights- The methods for anomaly detection on multivariate time series are reviewed.
- The ...
Comments