Monitoring abnormal traffic flows based on independent component analysis

Authors:
Tao Qin;Xiaohong Guan;Wei Li;Pinghui Wang
Affiliations:
SKLMS Lab and MOE KLINNS Lab, Xian Jiaotong University, Xian, China;SKLMS Lab and MOE KLINNS Lab, Xian Jiaotong University, Xian, China and Department of Automation and NLIST Lab, Tsinghua University, Beijing, China;SKLMS Lab and MOE KLINNS Lab, Xian Jiaotong University, Xian, China;SKLMS Lab and MOE KLINNS Lab, Xian Jiaotong University, Xian, China
Venue:
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Year:
2009

Citing 12
Cited 1

Blind separation of sources, Part 1: an adaptive algorithm based on neuromimetic architecture

Signal Processing
Independent component analysis: algorithms and applications

Neural Networks
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Observed structure of addresses in IP traffic

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time

Proceedings of the 11th USENIX Security Symposium
Network traffic anomaly detection based on packet bytes

Proceedings of the 2003 ACM symposium on Applied computing
Structural analysis of network traffic flows

Proceedings of the joint international conference on Measurement and modeling of computer systems
Profiling internet backbone traffic: behavior models and applications

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
The monitoring and early detection of internet worms

IEEE/ACM Transactions on Networking (TON)
Role classification of hosts within enterprise networks based on connection patterns

ATEC '03 Proceedings of the annual conference on USENIX Annual Technical Conference
A parameterizable methodology for Internet traffic flow profiling

IEEE Journal on Selected Areas in Communications

Monitoring abnormal network traffic based on blind source separation approach

Journal of Network and Computer Applications

Quantified Score

Hi-index	0.00

Visualization

Abstract

The randomness of the network behaviors poses serious challenges for discovering the abnormal patterns in network traffic flows. This paper presents a method based on blind source separation approach for detecting abnormal traffic flows. It decomposes the network traffic into two components: the routine pattern and the abnormal pattern. The scale-space filter with adaptive scale is applied to filter the noise without affecting the main behavior patterns which can be used to form the abnormal traffic metrics and profiles. The zero-crossing method is applied to extract the stochastic behavior pulse widths and the largest width is selected as the scale space factor. In this way, the influence of the inherent randomness could be removed or greatly reduced. The extracted patterns of the routine behaviors imply the user's habit and the abnormal patterns are useful for discovering anomalous behaviors such as scanning, flooding and content distribution attacks. A salient feature of the method is that no supervised learning process is needed. This is a very important advantage since obtaining labeled samples in traffic monitoring is extremely difficult. Experimental results based on the datasets of an actual network show that this method is effective for monitoring anomaly traffic flows in the gigabytes traffic environment and the identification accuracy is above 95%.