New Methods for Network Traffic Anomaly Detection

Outlier detection is a well developed topic in data mining and has made remarkable inroads into many application domains. In this thesis we examine the efficacy of applying outlier detection techniques to understand the behaviour of anomalies in communication network traffic. We have identified several shortcomings. Our most finding is that known techniques either focus on characterizing the spatial or temporal behaviour of traffic but rarely both. For example DoS attacks are anomalies which violate temporal patterns while port scans violate the spatial equilibrium of network traffic. To address this observed weakness we have designed a new method for outlier detection based spectral decomposition of the Hankel matrix. The Hankel matrix is spatio-temporal correlation matrix and has been used in many other domains including climate data analysis and econometrics. To the best of our knowledge it has not been used for analysis of network traffic before. Using our approach we can seamlessly integrate the discovery of both spatial and temporal anomalies. Comparison with other state of the art methods in the networks community confirms that our approach can discover both DoS and port scan attacks. The spectral decomposition of the Hankel matrix is closely tied to the problem of inference in Linear Dynamical Systems (LDS). We introduce a new problem, the Online Selective Anomaly Detection (OSAD) problem, to model the situation where the objective is to report new anomalies in the system and suppress know faults. For example, in the network setting an operator may be interested in triggering an alarm for malicious attacks but not on faults caused by equipment failure. In order to solve OSAD we combine techniques from machine learning and control theory in a unique fashion. Machine Learning ideas are used to learn the parameters of an underlying data generating system. Control theory techniques are used to model the feedback and modify the residual generated by the data generating state model. Experiments on synthetic and real data sets confirm that the OSAD problem captures a general scenario and tightly integrates machine learning and control theory to solve a practical problem.

[1]  Jie Chen,et al.  Observer-based fault detection and isolation: robustness and applications , 1997 .

[2]  Anja Feldmann,et al.  Deriving traffic demands for operational IP networks: methodology and experience , 2001, TNET.

[3]  Laura B Ray,et al.  Validating an automated sleep spindle detection algorithm using an individualized approach , 2010, Journal of sleep research.

[4]  Dorothy E. Denning,et al.  An Intrusion-Detection Model , 1986, 1986 IEEE Symposium on Security and Privacy.

[5]  Donald F. Towsley,et al.  Detecting anomalies in network traffic using maximum entropy estimation , 2005, IMC '05.

[6]  R. Vautard,et al.  Singular-spectrum analysis: a toolkit for short, noisy chaotic signals , 1992 .

[7]  S. J. QinDepartment Multi-dimensional Fault Diagnosis Using a Subspace Approach , 1997 .

[8]  Ibrahim Matta,et al.  On the geographic location of Internet resources , 2003, IEEE J. Sel. Areas Commun..

[9]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[10]  Zoubin Ghahramani,et al.  A Unifying Review of Linear Gaussian Models , 1999, Neural Computation.

[11]  E.Y. Shapiro,et al.  Eigenstructure Assignment for Linear Systems , 1983, IEEE Transactions on Aerospace and Electronic Systems.

[12]  J. Elsner,et al.  Singular Spectrum Analysis: A New Tool in Time Series Analysis , 1996 .

[13]  Y. Vardi,et al.  Network Tomography: Estimating Source-Destination Traffic Intensities from Link Data , 1996 .

[14]  R. Patton,et al.  Optimal filtering and robust fault diagnosis of stochastic systems with unknown disturbances , 1996 .

[15]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[16]  Chen-Nee Chuah,et al.  ProgME: Towards Programmable Network MEasurement , 2007, IEEE/ACM Transactions on Networking.

[17]  David Moore,et al.  A robust system for accurate real-time summaries of internet traffic , 2005, SIGMETRICS '05.

[18]  J. E. Jackson,et al.  Control Procedures for Residuals Associated With Principal Component Analysis , 1979 .

[19]  Christine Decaestecker,et al.  Sleep spindle detection through amplitude–frequency normal modelling , 2013, Journal of Neuroscience Methods.

[20]  Ali A. Ghorbani,et al.  Network Anomaly Detection Based on Wavelet Analysis , 2009, EURASIP J. Adv. Signal Process..

[21]  Kavé Salamatian,et al.  Traffic matrix tracking using Kalman filters , 2005, PERV.

[22]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[23]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[24]  Jie Chen,et al.  On eigenstructure assignment for robust fault diagnosis , 2000 .

[25]  H. Javitz,et al.  Detecting Unusual Program Behavior Using the Statistical Component of the Next-generation Intrusion Detection Expert System ( NIDES ) 1 , 1997 .

[26]  A. Walker Electroencephalography, Basic Principles, Clinical Applications and Related Fields , 1982 .

[27]  Bart De Moor,et al.  Subspace Identification for Linear Systems: Theory ― Implementation ― Applications , 2011 .

[28]  Jie Chen,et al.  Robust Model-Based Fault Diagnosis for Dynamic Systems , 1998, The International Series on Asian Studies in Computer and Information Science.

[29]  Nurettin Acir,et al.  Automatic recognition of sleep spindles in EEG via radial basis support vector machine based on a modified feature selection algorithm , 2004, Neural Computing & Applications.

[30]  Byron Boots,et al.  Closing the learning-planning loop with predictive state representations , 2009, Int. J. Robotics Res..

[31]  Ramesh Govindan,et al.  Empirical Evaluation of Network-Wide Anomaly Detection , 2008 .

[32]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[33]  Osman Erogul,et al.  Efficient sleep spindle detection algorithm with decision tree , 2009, Expert Syst. Appl..

[34]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[35]  H. Hotelling Analysis of a complex of statistical variables into principal components. , 1933 .

[36]  J. Edward Jackson,et al.  A User's Guide to Principal Components. , 1991 .

[37]  Ramesh Govindan,et al.  Detecting traffic anomalies using an equilibrium property , 2010, SIGMETRICS '10.

[38]  M. Ghil,et al.  Interdecadal oscillations and the warming trend in global temperature time series , 1991, Nature.

[39]  Carsten Lund,et al.  An information-theoretic approach to traffic matrix estimation , 2003, SIGCOMM '03.

[40]  Biao Huang,et al.  System Identification , 2000, Control Theory for Physicists.

[41]  R. Vautard,et al.  Singular spectrum analysis in nonlinear dynamics, with applications to paleoclimatic time series , 1989 .

[42]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[43]  Sham M. Kakade,et al.  A spectral algorithm for learning Hidden Markov Models , 2008, J. Comput. Syst. Sci..

[44]  Matthew Roughan,et al.  The need for simulation in evaluating anomaly detectors , 2008, CCRV.

[45]  Michael Ghil,et al.  ADVANCED SPECTRAL METHODS FOR CLIMATIC TIME SERIES , 2002 .

[46]  G. Buzsáki Rhythms of the brain , 2006 .

[47]  Kun-Chan Lan,et al.  Implementation of a Wireless Mesh Network Testbed for Traffic Control , 2007, 2007 16th International Conference on Computer Communications and Networks.

[48]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[49]  Martin May,et al.  Applying PCA for Traffic Anomaly Detection: Problems and Solutions , 2009, IEEE INFOCOM 2009.

[50]  Fred Spiring,et al.  Introduction to Statistical Quality Control , 2007, Technometrics.

[51]  Peter W. Glynn,et al.  Internet service performance failure detection , 1998, PERV.

[52]  Albert G. Greenberg,et al.  Combining routing and traffic data for detection of IP forwarding anomalies , 2004, SIGMETRICS '04/Performance '04.

[53]  George Varghese,et al.  Building a better NetFlow , 2004, SIGCOMM 2004.

[54]  Sanjay Chawla,et al.  Network Traffic Decomposition for Anomaly Detection , 2014, ArXiv.

[55]  Leonard A. Smith,et al.  Monte Carlo SSA: Detecting irregular oscillations in the Presence of Colored Noise , 1996 .

[56]  Fernando Silveira,et al.  URCA: Pulling out Anomalies by their Root Causes , 2010, 2010 Proceedings IEEE INFOCOM.

[57]  Herbert J. Mattord,et al.  Principles of Information Security , 2004 .

[58]  G. P. King,et al.  Extracting qualitative dynamics from experimental data , 1986 .

[59]  Vern Paxson,et al.  Measurements and analysis of end-to-end Internet dynamics , 1997 .

[60]  T. Başar,et al.  A New Approach to Linear Filtering and Prediction Problems , 2001 .

[61]  Christopher M. Bishop,et al.  Mixtures of Probabilistic Principal Component Analyzers , 1999, Neural Computation.

[62]  Peter A. Robinson,et al.  A new EEG biomarker of neurobehavioural impairment and sleepiness in sleep apnea patients and controls during extended wakefulness , 2013, Clinical Neurophysiology.

[63]  Frank Feather,et al.  Fault detection in an Ethernet network using anomaly signature matching , 1993, SIGCOMM '93.

[64]  W. Ledermann,et al.  HANKEL AND TOEPLITZ MATRICES AND FORMS: Algebraic Theory , 1983 .

[65]  Tim Moors,et al.  Detection and Identification of Anomalies in Wireless Mesh Networks Using Principal Component Analysis (PCA) , 2008, ISPAN.

[66]  Mischa Schwartz,et al.  Schemes for fault identification in communication networks , 1995, TNET.

[67]  F. Takens Detecting strange attractors in turbulence , 1981 .

[68]  Albert G. Greenberg,et al.  Network anomography , 2005, IMC '05.

[69]  D. R. Jensen,et al.  A Gaussian Approximation to the Distribution of a Definite Quadratic Form , 1972 .

[70]  Ramana Rao Kompella,et al.  The power of slicing in internet flow measurement , 2005, IMC '05.

[71]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[72]  D. Sornette,et al.  Data-adaptive wavelets and multi-scale singular-spectrum analysis , 1998, chao-dyn/9810034.

[73]  R. Shumway,et al.  AN APPROACH TO TIME SERIES SMOOTHING AND FORECASTING USING THE EM ALGORITHM , 1982 .

[74]  Jake D. Brutlag,et al.  Aberrant Behavior Detection in Time Series for Network Monitoring , 2000, LISA.

[75]  R. Patton,et al.  Robust fault detection using eigenstructure assignment: a tutorial consideration and some new results , 1991, [1991] Proceedings of the 30th IEEE Conference on Decision and Control.

[76]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[77]  S. Joe Qin,et al.  Subspace approach to multidimensional fault identification and reconstruction , 1998 .

[78]  John S. Heidemann,et al.  A framework for classifying denial of service attacks , 2003, SIGCOMM '03.

[79]  J. Born,et al.  The memory function of sleep , 2010, Nature Reviews Neuroscience.

[80]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[81]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[82]  Antti Saastamoinen,et al.  Development and comparison of four sleep spindle detection methods , 2007, Artif. Intell. Medicine.

[83]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[84]  Anatoly A. Zhigljavsky,et al.  Analysis of Time Series Structure - SSA and Related Techniques , 2001, Monographs on statistics and applied probability.

[85]  Marina Thottan,et al.  Anomaly detection in IP networks , 2003, IEEE Trans. Signal Process..

[86]  Balachander Krishnamurthy,et al.  Sketch-based change detection: methods, evaluation, and applications , 2003, IMC '03.

[87]  I. Daubechies,et al.  Framelets: MRA-based constructions of wavelet frames☆☆☆ , 2003 .

[88]  D. Donoho For most large underdetermined systems of equations, the minimal 𝓁1‐norm near‐solution approximates the sparsest near‐solution , 2006 .

[89]  Ian T. Jolliffe,et al.  Principal Component Analysis , 2002, International Encyclopedia of Statistical Science.

[90]  T. Dang-Vu,et al.  Spontaneous brain rhythms predict sleep stability in the face of noise , 2010, Current Biology.

[91]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[92]  Chuanyi Ji,et al.  Proactive network fault detection , 1997, Proceedings of INFOCOM '97.

[93]  kc claffy,et al.  Internet traffic flow profiling , 1994 .

[94]  D. Donoho For most large underdetermined systems of linear equations the minimal 𝓁1‐norm solution is also the sparsest solution , 2006 .

[95]  Dorothy E. Denning,et al.  Information Warfare And Security , 1998 .

[96]  M. Loutre,et al.  Spectral analysis of climate data , 1996 .

[97]  Patrice Abry,et al.  Wavelet Analysis of Long-Range-Dependent Traffic , 1998, IEEE Trans. Inf. Theory.

[98]  O. Nelles Nonlinear System Identification: From Classical Approaches to Neural Networks and Fuzzy Models , 2000 .

[99]  Ramesh Govindan,et al.  ASTUTE: detecting a different class of traffic anomalies , 2010, SIGCOMM '10.