Elements of information theory
Elements of information theory
Fundamentals of statistical signal processing: estimation theory
Fundamentals of statistical signal processing: estimation theory
Detection of abrupt changes: theory and application
Detection of abrupt changes: theory and application
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
The Internet Security Guidebook: From Planning to Deployment
The Internet Security Guidebook: From Planning to Deployment
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Generation of High Bandwidth Network Traffic Traces
MASCOTS '02 Proceedings of the 10th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems
Hop-count filtering: an effective defense against spoofed DDoS traffic
Proceedings of the 10th ACM conference on Computer and communications security
Mining anomalies using traffic feature distributions
Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Entropy Based Worm and Anomaly Detection in Fast IP Networks
WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Using Multivariate Statistics (5th Edition)
Using Multivariate Statistics (5th Edition)
Combining filtering and statistical methods for anomaly detection
IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
FLF4DoS. Dynamic DDoS Mitigation based on TTL field using fuzzy logic.
CONIELECOMP '07 Proceedings of the 17th International Conference on Electronics, Communications and Computers
Beyond the Model of Persistent TCP Flows: Open-Loop vs Closed-Loop Arrivals of Non-persistent Flows
ANSS-41 '08 Proceedings of the 41st Annual Simulation Symposium (anss-41 2008)
An empirical evaluation of entropy-based traffic anomaly detection
Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Remote detection of bottleneck links using spectral and statistical methods
Computer Networks: The International Journal of Computer and Telecommunications Networking
A two-layered anomaly detection technique based on multi-modal flow behavior models
PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
Anomaly detection in IP networks
IEEE Transactions on Signal Processing
IEEE Transactions on Signal Processing
Detecting SYN flooding attacks based on traffic prediction
Security and Communication Networks
Review: An intrusion detection and prevention system in cloud computing: A systematic review
Journal of Network and Computer Applications
Detecting latent attack behavior from aggregated Web traffic
Computer Communications
Information Sciences: an International Journal
Hi-index | 0.00 |
This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time domain, one can estimate model parameters in real time, thus obviating the need for a long training phase or manual parameter tuning. The proposed bivariate parametric detection mechanism (bPDM) uses a sequential probability ratio test, allowing for control over the false positive rate while examining the tradeoff between detection time and the strength of an anomaly. Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives. The method is analyzed using the bit-rate signal-to-noise ratio (SNR) metric, which is shown to be an effective metric for anomaly detection. The performance of the bPDM is evaluated in three ways. First, synthetically generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic. Second, the approach is shown to be able to detect controlled artificial attacks over the University of Southern California (USC), Los Angeles, campus network in varying real traffic mixes. Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces. The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.