Abstract
Characterizing network traffic with higher-dimensional features results in increased complexity of most detectors and classifiers for identifying traffic anomalies. Several key observations from existing studies confirm that network anomalies are typically distributed in a sparse way, with each anomaly essentially characterized by its lower-dimensional features. Based on this important finding, we exploit sparsity in designing a novel detection method for anomalies that ignores redundancies that are dynamically filtered from the feature sets and accurately classifies anomalies. Comparison of our method with three well known techniques shows a 10% improvement in accuracy with an O (n) complexity of the classifier.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Barford P, Kline J, Plonka D. A signal analysis of network traffic anomalies. In: Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment, Marseille, 2002. 71–82
Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Portland, 2004. 219–230
Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distributions. In: Proceedings of the Conference on Applications, Technologies, Architectures, and Protocols for Computer Communications, Philadelphia, 2005. 217–228
Nychis G, Sekar V, Andersen D G, et al. An empirical evaluation of entropy-based anomaly detection. In: Proceedings of the 8th ACM SIGCOMM Conference on Internet Measurement, Vouliagmeni, 2008. 151–156
Ringberg H, Soule A, Rexford J, et al. Sensitivity of PCA for traffic anomaly detection. In: Proceedings of the ACM SIGMETRICS International Conference on Measurement and Modeling of Computer Systems, San Diego, 2007. 109–120
Silveira F, Diot C. URCA: pulling out anomalies by their root causes. In: Proceedings of IEEE INFOCOM, San Diego, 2010. 1–9
Silveira F, Diot C, Taft N, et al. ASTUTE: detecting a different class of traffic anomalies. In: Proceedings of the ACM SIGCOMM Conference, New delhi, 2010. 267–278
Silveira F, Diot C, Taft N, et al. Detecting Correlated Anomalous Flows. Thomson, Technical Report CR-PRL-2009-02-0001, 2009
Nyalkalkar K, Sinhay S, Bailey M, et al. A comparative study of two network-based anomaly detection methods. In: Proceedings of IEEE INFOCOM, Shanghai, 2011. 176–180
Gao J, Fanj W, Turaga D, et al. Consensus extraction from heterogeneous detectors to improve performance over network traffic anomaly detection. In: Proceedings of IEEE INFOCOM, Shanghai, 2011. 181–185
Paxson V, Floyd S. Wide-area traffic: the failure of poisson modeling. IEEE/ACM Trans Netw, 1995, 1: 226–244
Leland W E, Taqqu M S, Willinger W, et al. On the self-similar nature of Ethernet traffic. IEEE/ACM Trans Netw, 1994, 2: 1–15
Klivansky S, Mukherjee A, Song C. On long-range dependence in NSFNET traffic. Technical Report, Georgia Institute of Technology. 1995
Huang N E, Shen Z, Long S R, et al. The empirical mode decomposition and the Hilbert spectrum for nonlinear and non-stationary time series analysis. Proc Roy Soc London Ser A, 1998, A454: 903–995
Zhang Y, Roughan M, Willinger W, et al. Spatio-temporal compressive sensing and Internet traffic matrices. In: Proceedings of SIGCOMM, Barcelona, 2009. 267–279
Xu X D, Zhu S R, Sun Y M. Anomaly detection algorithm based on fractal characteristics of large-scale network traffic. J Commun China, 2009, 30: 43–53
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Cheng, G., Chen, H., Cheng, D. et al. Uncovering network traffic anomalies based on their sparse distributions. Sci. China Inf. Sci. 57, 1–11 (2014). https://doi.org/10.1007/s11432-014-5087-7
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-014-5087-7