Computer Network Monitoring and Abnormal Event Detection Using Graph Matching and Multidimensional Scaling

Computer network monitoring and abnormal event detection have become important areas of research. In previous work, it has been proposed to represent a computer network as a time series of graphs and to compute the difference, or distance, of consecutive graphs in such a time series. Whenever the distance of two graphs exceeds a given threshold, an abnormal event is reported. In the present paper we go one step further and compute graph distances between all pairs of graphs in a time series. Given these distances, a multidimensional scaling procedure is applied that maps each graph onto a point in the two-dimensional real plane, such that the distances between the graphs are reflected, as closely as possible, in the distances between the points in the two-dimensional plane. In this way the behaviour of a network can be visualised and abnormal events as well as states or clusters of states of the network can be graphically represented. We demonstrate the feasibility of the proposed method by means of synthetically generated graph sequences and data from real computer networks.

[1]  King-Sun Fu,et al.  A distance measure between attributed relational graphs for pattern recognition , 1983, IEEE Transactions on Systems, Man, and Cybernetics.

[2]  Wenke Lee,et al.  Proactive detection of distributed denial of service attacks using MIB traffic variables-a feasibility study , 2001, 2001 IEEE/IFIP International Symposium on Integrated Network Management Proceedings. Integrated Network Management VII. Integrated Management Strategies for the New Millennium (Cat. No.01EX470).

[3]  Robert H. Deng,et al.  Models and algorithms for network fault detection and identification: a review , 1992, [Proceedings] Singapore ICCS/ISITA `92.

[4]  Anil K. Jain,et al.  Data clustering: a review , 1999, CSUR.

[5]  Chuanyi Ji,et al.  Intelligent network monitoring , 1995, Proceedings of 1995 IEEE Workshop on Neural Networks for Signal Processing.

[6]  Fabio Roli,et al.  Alarm clustering for intrusion detection systems in computer networks , 2005, Eng. Appl. Artif. Intell..

[7]  Christopher Krügel,et al.  Using Decision Trees to Improve Signature-Based Intrusion Detection , 2003, RAID.

[8]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[9]  Lundy M. Lewis,et al.  A case-based reasoning approach to the management of faults in communication networks , 1993, IEEE INFOCOM '93 The Conference on Computer Communications, Proceedings.

[10]  Julian R. Ullmann,et al.  An Algorithm for Subgraph Isomorphism , 1976, J. ACM.

[11]  C. S. Hood,et al.  Proactive network-fault detection [telecommunications] , 1997 .

[12]  J. J. McGregor,et al.  Backtrack search algorithms and the maximal common subgraph problem , 1982, Softw. Pract. Exp..

[13]  Horst Bunke,et al.  Matching graphs with unique node labels , 2004, Pattern Analysis and Applications.

[14]  H. Bunke,et al.  Median graphs and anomalous change detection in communication networks , 2002, Final Program and Abstracts on Information, Decision and Control.

[15]  Bon K. Sy,et al.  Signature-Based Approach for Intrusion Detection , 2005, MLDM.

[16]  H. Bunke,et al.  CLASSIFICATION AND DETECTION OF ABNORMAL EVENTS IN TIME SERIES OF GRAPHS , 2004 .

[17]  Joseph L. Hellerstein An approach to selecting metrics for detecting performance problems in information systems , 1996, SIGMETRICS '96.

[18]  Marina Thottan,et al.  Proactive anomaly detection using distributed intelligent agents , 1998, IEEE Netw..

[19]  Hans-Peter Kriegel,et al.  A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise , 1996, KDD.

[20]  Abraham Kandel,et al.  Data Mining in Time Series Database , 2004 .

[21]  Horst Bunke,et al.  Detection of Abnormal Change in a Time Series of Graphs , 2002, J. Interconnect. Networks.

[22]  Philip K. Chan,et al.  Learning rules for anomaly detection of hostile network traffic , 2003, Third IEEE International Conference on Data Mining.

[23]  P. Groenen,et al.  Modern multidimensional scaling , 1996 .

[24]  Tsuneo Katsuyama,et al.  A wavelet-based framework for proactive detection of network misconfigurations , 2004, NetT '04.