Probabilistic counting algorithms for data base applications
Journal of Computer and System Sciences
New approximations of differential entropy for independent component analysis and projection pursuit
NIPS '97 Proceedings of the 1997 conference on Advances in neural information processing systems 10
End-to-end internet packet dynamics
IEEE/ACM Transactions on Networking (TON)
Independent component analysis: algorithms and applications
Neural Networks
Connection-level analysis and modeling of network traffic
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Properties and prediction of flow statistics from sampled packet streams
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
How to Own the Internet in Your Spare Time
Proceedings of the 11th USENIX Security Symposium
Estimating flow distributions from sampled flow statistics
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
Information-Theoretic Measures for Anomaly Detection
SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Sketch-based change detection: methods, evaluation, and applications
Proceedings of the 3rd ACM SIGCOMM conference on Internet measurement
Network traffic anomaly detection based on packet bytes
Proceedings of the 2003 ACM symposium on Applied computing
Structural analysis of network traffic flows
Proceedings of the joint international conference on Measurement and modeling of computer systems
Flow sampling under hard resource constraints
Proceedings of the joint international conference on Measurement and modeling of computer systems
Characterization of network-wide anomalies in traffic flows
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
The monitoring and early detection of internet worms
IEEE/ACM Transactions on Networking (TON)
Impact of packet sampling on anomaly detection metrics
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Is sampled data sufficient for anomaly detection?
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Observed structure of addresses in IP traffic
IEEE/ACM Transactions on Networking (TON)
Role classification of hosts within enterprise networks based on connection patterns
ATEC '03 Proceedings of the annual conference on USENIX Annual Technical Conference
An information-theoretic approach to network monitoring and measurement
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
Sensitivity of PCA for traffic anomaly detection
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Passive measurement of one-way and two-way flow lifetimes
ACM SIGCOMM Computer Communication Review
Analysis of internet backbone traffic and header anomalies observed
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
Blind source separation approach to performance diagnosis and dependency discovery
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
A Projection Pursuit Algorithm for Exploratory Data Analysis
IEEE Transactions on Computers
Reversible sketches: enabling monitoring and analysis over high-speed data streams
IEEE/ACM Transactions on Networking (TON)
An empirical evaluation of entropy-based traffic anomaly detection
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Monitoring abnormal traffic flows based on independent component analysis
ICC'09 Proceedings of the 2009 IEEE international conference on Communications
Analysis of communities of interest in data networks
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Traffic classification using a statistical approach
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Fast and robust fixed-point algorithms for independent component analysis
IEEE Transactions on Neural Networks
Inference of network anomaly propagation using spatio-temporal correlation
Journal of Network and Computer Applications
Data summarization for network traffic monitoring
Journal of Network and Computer Applications
| Hi-index | 0.00 |
The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.