Investigation of graph edit distance cost functions for detection of network anomalies

Computer networks are becoming ubiquitous. Accurately monitoring and managing the behaviour of these complex and dynamic networks is a challenging task. It has become crucial to develop and employ good network monitoring techniques that assist in identifying and correcting abnormalities that affect network reliability, performance, security and future planning. There has been significant research in the detection of change and anomalous events in computer networks. A recent novel approach represents the logical communications of a periodically observed network as a time series of graphs and applies the graph matching technique, graph edit distance, to monitor and detect anomalous behaviour in the network. To date, only simple cost functions for graph edit operations have been used in application to computer network monitoring. This article investigates simple normalisation and non-linear techniques in the graph edit distance cost function, to improve detection of specific traffic related network anomalies in the computer network domain.

[1]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[2]  M. Kraetzl,et al.  Novel approaches in modelling dynamics of networked surveillance environment , 2003, Sixth International Conference of Information Fusion, 2003. Proceedings of the.

[3]  Horst Bunke,et al.  Recent developments in graph matching , 2000, Proceedings 15th International Conference on Pattern Recognition. ICPR-2000.

[4]  G. N. Higginbottom Performance Evaluation of Communication Networks , 1998 .

[5]  D. West Introduction to Graph Theory , 1995 .

[6]  Allan R. Wilks,et al.  Visualizing Network Data , 1995, IEEE Trans. Vis. Comput. Graph..

[7]  Chelsea C. White,et al.  An analytical approach to the dynamic topology problem , 1994, Telecommun. Syst..

[8]  G. Jakobson,et al.  Alarm correlation , 1993, IEEE Network.

[9]  Frank Feather,et al.  Fault detection in an Ethernet network using anomaly signature matching , 1993, SIGCOMM '93.

[10]  Shinji Umeyama,et al.  An Eigendecomposition Approach to Weighted Graph Matching Problems , 1988, IEEE Trans. Pattern Anal. Mach. Intell..

[11]  Horst Bunke,et al.  Inexact graph matching for structural pattern recognition , 1983, Pattern Recognit. Lett..

[12]  King-Sun Fu,et al.  A distance measure between attributed relational graphs for pattern recognition , 1983, IEEE Transactions on Systems, Man, and Cybernetics.

[13]  M. Kraetzl,et al.  Detection of abnormal change in dynamic networks , 1999, 1999 Information, Decision and Control. Data and Information Fusion Symposium, Signal Processing and Communications Symposium and Decision and Control Symposium. Proceedings (Cat. No.99EX251).