Parametric methods for anomaly detection in aggregate traffic

Authors:
Gautam Thatte;Urbashi Mitra;John Heidemann
Affiliations:
Ming Hseih Department of Electrical Engineering, University of Southern California, Los Angeles, CA;Ming Hseih Department of Electrical Engineering, University of Southern California, Los Angeles, CA;Information Sciences Institute, University of Southern California, Marina Del Rey, CA
Venue:
IEEE/ACM Transactions on Networking (TON)
Year:
2011

Citing 19
Cited 4

Elements of information theory

Elements of information theory
Fundamentals of statistical signal processing: estimation theory

Fundamentals of statistical signal processing: estimation theory
Detection of abrupt changes: theory and application

Detection of abrupt changes: theory and application
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites

Proceedings of the 11th international conference on World Wide Web
The Internet Security Guidebook: From Planning to Deployment

The Internet Security Guidebook: From Planning to Deployment
A signal analysis of network traffic anomalies

Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
Generation of High Bandwidth Network Traffic Traces

MASCOTS '02 Proceedings of the 10th IEEE International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems
Hop-count filtering: an effective defense against spoofed DDoS traffic

Proceedings of the 10th ACM conference on Computer and communications security
Mining anomalies using traffic feature distributions

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
Entropy Based Worm and Anomaly Detection in Fast IP Networks

WETICE '05 Proceedings of the 14th IEEE International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise
Using Multivariate Statistics (5th Edition)

Using Multivariate Statistics (5th Edition)
Combining filtering and statistical methods for anomaly detection

IMC '05 Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement
FLF4DoS. Dynamic DDoS Mitigation based on TTL field using fuzzy logic.

CONIELECOMP '07 Proceedings of the 17th International Conference on Electronics, Communications and Computers
Beyond the Model of Persistent TCP Flows: Open-Loop vs Closed-Loop Arrivals of Non-persistent Flows

ANSS-41 '08 Proceedings of the 41st Annual Simulation Symposium (anss-41 2008)
An empirical evaluation of entropy-based traffic anomaly detection

Proceedings of the 8th ACM SIGCOMM conference on Internet measurement
Remote detection of bottleneck links using spectral and statistical methods

Computer Networks: The International Journal of Computer and Telecommunications Networking
A two-layered anomaly detection technique based on multi-modal flow behavior models

PAM'08 Proceedings of the 9th international conference on Passive and active network measurement
Anomaly detection in IP networks

IEEE Transactions on Signal Processing
A novel approach to detection of intrusions in computer networks via adaptive sequential and batch-sequential change-point detection methods

IEEE Transactions on Signal Processing

Detecting SYN flooding attacks based on traffic prediction

Security and Communication Networks
Review: An intrusion detection and prevention system in cloud computing: A systematic review

Journal of Network and Computer Applications
Detecting latent attack behavior from aggregated Web traffic

Computer Communications
Anomaly secure detection methods by analyzing dynamic characteristics of the network traffic in cloud communications

Information Sciences: an International Journal

Quantified Score

Hi-index	0.00

Visualization

Abstract

This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple statistical models for anomalous and background traffic in the time domain, one can estimate model parameters in real time, thus obviating the need for a long training phase or manual parameter tuning. The proposed bivariate parametric detection mechanism (bPDM) uses a sequential probability ratio test, allowing for control over the false positive rate while examining the tradeoff between detection time and the strength of an anomaly. Additionally, it uses both traffic-rate and packet-size statistics, yielding a bivariate model that eliminates most false positives. The method is analyzed using the bit-rate signal-to-noise ratio (SNR) metric, which is shown to be an effective metric for anomaly detection. The performance of the bPDM is evaluated in three ways. First, synthetically generated traffic provides for a controlled comparison of detection time as a function of the anomalous level of traffic. Second, the approach is shown to be able to detect controlled artificial attacks over the University of Southern California (USC), Los Angeles, campus network in varying real traffic mixes. Third, the proposed algorithm achieves rapid detection of real denial-of-service attacks as determined by the replay of previously captured network traces. The method developed in this paper is able to detect all attacks in these scenarios in a few seconds or less.