论文信息 - Traffic feature distribution analysis based on exponentially weighted moving average

Traffic feature distribution analysis based on exponentially weighted moving average

Most researches treated anomalies as deviations in the overall traffic volume. However, not all of the network incidents result in significant traffic volume change. Feature-based analysis enables detection of anomalies that are difficult to isolate in traffic volume. In order to accurately detect traffic anomaly, this paper proposes a methodology based on Exponentially Weighted Moving Average (EWMA). It utilizes feature entropy as a convenient summary statistic for the distribution's tendency to be concentrated or dispersed. Then, it predicts normal traffic feature entropy by Exponentially Weighted Moving Average and identifies anomaly with predictions. The experimental results show that this methodology achieves better accuracy than volume-based method.

Qian Xu | Dong-nian Cheng | Ying-ding Fu

[1] Mark Crovella,et al. Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[2] Balachander Krishnamurthy,et al. Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[3] Dan Schnackenberg,et al. Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.

[4] Paul Barford,et al. A signal analysis of network traffic anomalies , 2002, IMW '02.

[5] George Nychis,et al. An Empirical Evaluation of Entropy-based Anomaly Detection , 2007 .

[6] Ruey-Shan Guo,et al. An EWMA-based process mean estimator with dynamic tuning capability , 2002 .

[7] Vyas Sekar,et al. An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[8] Symeon Papavassiliou,et al. Network anomaly detection and classification via opportunistic sampling , 2009, IEEE Network.

[9] Kavé Salamatian,et al. Combining filtering and statistical methods for anomaly detection , 2005, IMC '05.

[10] Ramesh Govindan,et al. ASTUTE: detecting a different class of traffic anomalies , 2010, SIGCOMM '10.