Characteristics of network traffic flow anomalies
IMW '01 Proceedings of the 1st ACM SIGCOMM Workshop on Internet Measurement
Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites
Proceedings of the 11th international conference on World Wide Web
A signal analysis of network traffic anomalies
Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurment
An information-theoretic approach to traffic matrix estimation
Proceedings of the 2003 conference on Applications, technologies, architectures, and protocols for computer communications
A taxonomy of DDoS attack and DDoS defense mechanisms
ACM SIGCOMM Computer Communication Review
A framework for malicious workload generation
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Traffic matrix estimation on a large IP backbone: a comparison on real data
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Characterization of network-wide anomalies in traffic flows
Proceedings of the 4th ACM SIGCOMM conference on Internet measurement
Traffic matrices: balancing measurements, inference and modeling
SIGMETRICS '05 Proceedings of the 2005 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Measurement and spectral analysis of denial of service attacks
Measurement and spectral analysis of denial of service attacks
Inferring internet denial-of-service activity
SSYM'01 Proceedings of the 10th conference on USENIX Security Symposium - Volume 10
A Wavelet Tour of Signal Processing, Third Edition: The Sparse Way
A Wavelet Tour of Signal Processing, Third Edition: The Sparse Way
Traffic matrix reloaded: impact of routing changes
PAM'05 Proceedings of the 6th international conference on Passive and Active Network Measurement
Detection and identification of network anomalies using sketch subspaces
Proceedings of the 6th ACM SIGCOMM conference on Internet measurement
Sensitivity of PCA for traffic anomaly detection
Proceedings of the 2007 ACM SIGMETRICS international conference on Measurement and modeling of computer systems
Journal of Network and Systems Management
Securing internet coordinate embedding systems
Proceedings of the 2007 conference on Applications, technologies, architectures, and protocols for computer communications
Challenging the supremacy of traffic matrices in anomaly detection
Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
WebClass: adding rigor to manual labeling of traffic anomalies
ACM SIGCOMM Computer Communication Review
The need for simulation in evaluating anomaly detectors
ACM SIGCOMM Computer Communication Review
Proceedings of the 2007 workshop on Large scale attack defense
Identifying statistically anomalous regions in time series of network traffic
CoNEXT '07 Proceedings of the 2007 ACM CoNEXT conference
Shadow configuration as a network management primitive
Proceedings of the ACM SIGCOMM 2008 conference on Data communication
Continuous Time Bayesian Networks for Host Level Network Intrusion Detection
ECML PKDD '08 Proceedings of the European conference on Machine Learning and Knowledge Discovery in Databases - Part II
A Comparative Evaluation of Anomaly Detectors under Portscan Attacks
RAID '08 Proceedings of the 11th international symposium on Recent Advances in Intrusion Detection
The risk-utility tradeoff for IP address truncation
Proceedings of the 1st ACM workshop on Network data anonymization
ACM Computing Surveys (CSUR)
ANTIDOTE: understanding and defending against poisoning of anomaly detectors
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Anomaly extraction in backbone networks using association rules
Proceedings of the 9th ACM SIGCOMM conference on Internet measurement conference
Detectability of traffic anomalies in two adjacent networks
PAM'07 Proceedings of the 8th international conference on Passive and active network measurement
Network anomaly confirmation, diagnosis and remediation
Allerton'09 Proceedings of the 47th annual Allerton conference on Communication, control, and computing
A distribution-based approach to anomaly detection and application to 3G mobile traffic
GLOBECOM'09 Proceedings of the 28th IEEE conference on Global telecommunications
Computer Networks: The International Journal of Computer and Telecommunications Networking
A signal processing view on packet sampling and anomaly detection
INFOCOM'10 Proceedings of the 29th conference on Information communications
URCA: pulling out anomalies by their root causes
INFOCOM'10 Proceedings of the 29th conference on Information communications
ASTUTE: detecting a different class of traffic anomalies
Proceedings of the ACM SIGCOMM 2010 conference
Distribution-based anomaly detection in 3G mobile networks: from theory to practice
International Journal of Network Management
An evaluation of automatic parameter tuning of a statistics-based anomaly detection algorithm
International Journal of Network Management
Online anomaly detection for sensor systems: A simple and efficient approach
Performance Evaluation
Network prefix-level traffic profiling: Characterizing, modeling, and evaluation
Computer Networks: The International Journal of Computer and Telecommunications Networking
Enhancing Intrusion Detection System with proximity information
International Journal of Security and Networks
Reactive Robust Routing: Anomaly Localization and Routing Reconfiguration for Dynamic Networks
Journal of Network and Systems Management
Accuracy improving guidelines for network anomaly detection systems
Journal in Computer Virology
Intrusion detection using continuous time Bayesian networks
Journal of Artificial Intelligence Research
Joint network-host based malware detection using information-theoretic tools
Journal in Computer Virology
sub-space clustering and evidence accumulation for unsupervised network anomaly detection
TMA'11 Proceedings of the Third international conference on Traffic monitoring and analysis
UNADA: unsupervised network anomaly detection using sub-space outliers ranking
NETWORKING'11 Proceedings of the 10th international IFIP TC 6 conference on Networking - Volume Part I
Accurate network anomaly classification with generalized entropy metrics
Computer Networks: The International Journal of Computer and Telecommunications Networking
Parametric methods for anomaly detection in aggregate traffic
IEEE/ACM Transactions on Networking (TON)
Rapid detection of maintenance induced changes in service performance
Proceedings of the Seventh COnference on emerging Networking EXperiments and Technologies
Proceedings of the 7th International Conference on Network and Services Management
Proceedings of the 6th International Conference on Ubiquitous Information Management and Communication
Structural analysis of network traffic matrix via relaxed principal component pursuit
Computer Networks: The International Journal of Computer and Telecommunications Networking
Detection accuracy of network anomalies using sampled flow statistics
International Journal of Network Management
Detecting and profiling TCP connections experiencing abnormal performance
TMA'12 Proceedings of the 4th international conference on Traffic Monitoring and Analysis
Thwarting DDoS attacks in grid using information divergence
Future Generation Computer Systems
Improving an SVD-based combination strategy of anomaly detectors for traffic labelling
Proceedings of the Asian Internet Engineeering Conference
Anomaly extraction in backbone networks using association rules
IEEE/ACM Transactions on Networking (TON)
On estimating actuation delays in elastic computing systems
Proceedings of the 8th International Symposium on Software Engineering for Adaptive and Self-Managing Systems
Computer Networks: The International Journal of Computer and Telecommunications Networking
Fake View Analytics in Online Video Services
Proceedings of Network and Operating System Support on Digital Audio and Video Workshop
Topology-Aware Correlated Network Anomaly Event Detection and Diagnosis
Journal of Network and Systems Management
Hi-index | 0.00 |
In this work we develop an approach for anomaly detection for large scale networks such as that of an enterprize or an ISP. The traffic patterns we focus on for analysis are that of a network-wide view of the traffic state, called the traffic matrix. In the first step a Kalman filter is used to filter out the "normal" traffic. This is done by comparing our future predictions of the traffic matrix state to an inference of the actual traffic matrix that is made using more recent measurement data than those used for prediction. In the second step the residual filtered process is then examined for anomalies. We explain here how any anomaly detection method can be viewed as a problem in statistical hypothesis testing. We study and compare four different methods for analyzing residuals, two of which are new. These methods focus on different aspects of the traffic pattern change. One focuses on instantaneous behavior, another focuses on changes in the mean of the residual process, a third on changes in the variance behavior, and a fourth examines variance changes over multiple timescales. We evaluate and compare all of these methods using ROC curves that illustrate the full tradeoff between false positives and false negatives for the complete spectrum of decision thresholds.