Machine learning approaches to network anomaly detection
SYSML'07 Proceedings of the 2nd USENIX workshop on Tackling computer systems problems with machine learning techniques
Cusum techniques for timeslot sequences with applications to network surveillance
Computational Statistics & Data Analysis
Characterising Anomalous Events Using Change - Point Correlation on Unsolicited Network Traffic
NordSec '09 Proceedings of the 14th Nordic Conference on Secure IT Systems: Identity and Privacy in the Internet Age
Flooding attacks detection and victim identification over high speed networks
GIIS'09 Proceedings of the Second international conference on Global Information Infrastructure Symposium
Gaussian mixture learning via robust competitive agglomeration
Pattern Recognition Letters
Journal of Systems and Software
A distribution-based approach to anomaly detection and application to 3G mobile traffic
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Predictive network anomaly detection and visualization
IEEE Transactions on Information Forensics and Security
Distribution-based anomaly detection in 3G mobile networks: from theory to practice
International Journal of Network Management
Anomaly detection using self-organizing map and wavelets in wireless sensor networks
ACS'10 Proceedings of the 10th WSEAS international conference on Applied computer science
Redundant dictionary spaces as a general concept for the analysis of non-vectorial data
ICDM'12 Proceedings of the 12th Industrial conference on Advances in Data Mining: applications and theoretical aspects
Standardisation advancements in the area of routing for mobile ad-hoc networks
The Journal of Supercomputing
Performance evaluation of a distributed and probabilistic network monitoring approach
Proceedings of the 8th International Conference on Network and Service Management
| Hi-index | 0.00 |
This paper addresses the problem of normal operation baselining for automatic detection of network anomalies. A model of network traffic is presented in which studied variables are viewed as sampled from a finite mixture model. Based on the stochastic approximation of the maximum likelihood function, we propose baselining network normal operation, using the asymptotic distribution of the difference between successive estimates of model parameters. The baseline random variable is shown to be stationary, with mean zero under normal operation. Anomalous events are shown to induce an abrupt jump in the mean. Detection is formulated as an online change point problem, where the task is to process the baseline random variable realizations, sequentially, and raise alarms as soon as anomalies occur. An analytical expression of false alarm rate allows us to choose the design threshold, automatically. Extensive experimental results on a real network showed that our monitoring agent is able to detect unusual changes in the characteristics of network traffic, adapt to diurnal traffic patterns, while maintaining a low alarm rate. Despite large fluctuations in network traffic, this work proves that tailoring traffic modeling to specific goals can be efficiently achieved.