A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Characterization of network-wide anomalies in traffic flows
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Combining filtering and statistical methods for anomaly detection
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Integrated scientific workflow management for the Emulab network testbed
ATEC '06 Proceedings of the annual conference on USENIX '06 Annual Technical Conference
Traffic Anomaly Detection at Fine Time Scales with Bayes Nets
ICIMP '08 Proceedings of the 2008 The Third International Conference on Internet Monitoring and Protection
The Search for Efficiency in Automated Intrusion Response for Distributed Applications
SRDS '08 Proceedings of the 2008 Symposium on Reliable Distributed Systems
Increasing resilience of ATM networks using traffic monitoring and automated anomaly analysis
Proceedings of the 2nd International Conference on Application and Theory of Automation in Command and Control Systems
Topology-Aware Correlated Network Anomaly Event Detection and Diagnosis
Journal of Network and Systems Management
Hi-index | 0.00 |
Identifying and diagnosing network traffic anomalies, and rectifying their effects are standard, daily activities of network operators. While there is a large and growing literature on techniques for detecting network anomalies, there has been little or no treatment of what to do after a candidate anomaly has been identified. In this paper, we present a first step toward formalizing and automating the time-consuming and challenging tasks associated with network anomaly confirmation, diagnosis and remedy. Our work assumes that potential anomalies are identified either through visual analysis of key traffic measurements or from a Network Anomaly Detection System (NADS). We describe a flexible framework for network anomaly confirmation, diagnosis and remedy that is based on workflow concepts. The key features of this framework include data types/sources, analyses and decision points. We present an instantiation of our framework that includes a taxonomy of network traffic anomalies and detailed steps for confirmation of anomalies associated with malicious attacks. We demonstrate our framework by applying it to traffic in our university network. We propose that our framework is a starting point for streamlining operational tasks associated with traffic anomalies, and for the generation of annotated data sets that can be used in future NADS development.