A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Diagnosing network-wide traffic anomalies
Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Aberrant Behavior Detection in Time Series for Network Monitoring
LISA '00 Proceedings of the 14th USENIX conference on System administration
BLINC: multilevel traffic classification in the dark
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
IEEE Transactions on Dependable and Secure Computing
"A day in the life of the internet": proposed community-wide experiment
ACM SIGCOMM Computer Communication Review
Combining filtering and statistical methods for anomaly detection
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Detecting anomalies in network traffic using maximum entropy estimation
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Sensitivity of PCA for traffic anomaly detection
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Non-Gaussian and Long Memory Statistical Characterizations for Internet Traffic with Anomalies
IEEE Transactions on Dependable and Secure Computing
Traffic data repository at the WIDE project
ATEC '00 Proceedings of the annual conference on USENIX Annual Technical Conference
Proceedings of the 2007 workshop on Large scale attack defense
Internet traffic classification demystified: myths, caveats, and the best practices
CoNEXT '08 Proceedings of the 2008 ACM CoNEXT Conference
Anomaly extraction in backbone networks using association rules
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
A two-layered anomaly detection technique based on multi-modal flow behavior models
PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
A distribution-based approach to anomaly detection and application to 3G mobile traffic
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
An automatic and dynamic parameter tuning of a statistic-based anomaly detection algorithm
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
ADMIRE: Anomaly detection method using entropy-based PCA with three-step sketches
Computer Communications
| Hi-index | 0.00 |
We investigate an automatic and dynamic parameter tuning of a statistical method for detecting anomalies in network traffic (this tuning is referred to as parameter learning) towards real-time detection. The main idea behind the dynamic tuning is to predict an appropriate parameter for upcoming traffic by considering the detection results of past τ traces of traffic. The τ is referred to as the learning period, and we discuss in particular the appropriate value of τ. This automatic tuning scheme is applied to parameter setting of an anomaly detection method based on Sketch and the multi-scale gamma model, which is an unsupervised method and does not need predefined data. We analyze the tuning scheme with real traffic traces measured on a trans-Pacific link over 9 years (15 min from 14:00 Japan Standard Time every day, and 24 consecutive hours for some dates on the same link). The detection results with parameter prediction are compared to those with ideal parameters that maximize the detection performance for upcoming traffic. We also analyze predictability of the ideal parameter considering the past changes in it. The main findings of this work are as follows: (1) the ideal parameter fluctuates day by day; (2) parameter learning with a longer τ is affected by significant events included in the period, and the appropriate τ is about three traces (days) for everyday 15 min traces and around 1.5 h for 24 h traces; (3) the degradation in detection performance caused by introducing parameter learning is 17% with τ = 3 for everyday 15 min traces; (4) the changes in the ideal parameter have no periodic correlation, and can be modeled as a random process followed by a normal distribution. We show that one cannot consistently use a fixed parameter in statistics-based algorithms to detect anomalies in practice. Copyright © 2010 John Wiley & Sons, Ltd.