A BasisEvolution framework for network traffic anomaly detection

Abstract Traffic anomalies arise from network problems, and so detection and diagnosis are useful tools for network managers. A great deal of progress has been made on this problem so far, but most approaches can be thought of as forcing the data to fit a single mould. Existing anomaly detection methods largely work by separating traffic signals into “normal” and “anomalous” types using historical data, but do so inflexibly, either requiring a long description for “normal” traffic, or a short, but inaccurate description. In essence, preconceived “basis” functions limit the ability to fit data, and the static nature of many algorithms prevents true adaptivity despite the fact that real Internet traffic evolves over time. In our approach we allow a very general class of functions to represent traffic data, limiting them only by invariant properties of network traffic such as diurnal and weekly cycles. This representation is designed to evolve so as to adapt to changing traffic over time. Our anomaly detection uses thresholding approximation residual error, combined with a generic clustering technique to report a group of anomalous points as a single anomaly event. We evaluate our method with orthogonal matching pursuit, principal component analysis, robust principal component analysis and back propagation neural network, using both synthetic and real world data, and obtaining very low false-alarm probabilities in comparison.

[1]  Konstantina Papagiannaki,et al.  Structural analysis of network traffic flows , 2004, SIGMETRICS '04/Performance '04.

[2]  Kuai Xu,et al.  Behavior Analysis of Internet Traffic via Bipartite Graphs and One-Mode Projections , 2014, IEEE/ACM Trans. Netw..

[3]  Ali A. Ghorbani,et al.  IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS—PART C: APPLICATIONS AND REVIEWS 1 Toward Credible Evaluation of Anomaly-Based Intrusion-Detection Methods , 2022 .

[4]  Matthew Roughan On the Beneficial Impact of Strong Correlations for Anomaly Detection , 2009 .

[5]  G. Karypis,et al.  Criterion functions for document clustering , 2005 .

[6]  Jyh-Shen Chiou,et al.  The antecedents of consumers' loyalty toward Internet Service Providers , 2004, Inf. Manag..

[7]  Ji Zhang,et al.  Detecting anomalies from big network traffic data using an adaptive detection approach , 2015, Inf. Sci..

[8]  Peter Filzmoser,et al.  Robust feature selection and robust PCA for internet traffic anomaly detection , 2012, 2012 Proceedings IEEE INFOCOM.

[9]  Mohiuddin Ahmed,et al.  A survey of network anomaly detection techniques , 2016, J. Netw. Comput. Appl..

[10]  Franz Pernkopf,et al.  Sparse nonnegative matrix factorization with ℓ0-constraints , 2012, Neurocomputing.

[11]  Jugal K. Kalita,et al.  Network Anomaly Detection: Methods, Systems and Tools , 2014, IEEE Communications Surveys & Tutorials.

[12]  Matthew Roughan,et al.  Large-scale measurement and modeling of backbone Internet traffic , 2002, SPIE ITCom.

[13]  Bu-Sung Lee,et al.  Detection of network anomalies using Improved-MSPCA with sketches , 2017, Comput. Secur..

[14]  Christophe Diot,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM.

[15]  Tom Fawcett,et al.  An introduction to ROC analysis , 2006, Pattern Recognit. Lett..

[16]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[17]  Jaideep Srivastava,et al.  A Comparative Study of Anomaly Detection Schemes in Network Intrusion Detection , 2003, SDM.

[18]  Bu Sung Lee Francis,et al.  Combining MIC feature selection and feature-based MSPCA for network traffic anomaly detection , 2016, 2016 Third International Conference on Digital Information Processing, Data Mining, and Wireless Communications (DIPDMWC).

[19]  Gabriel Maciá-Fernández,et al.  Anomaly-based network intrusion detection: Techniques, systems and challenges , 2009, Comput. Secur..

[20]  Brett J. Borghetti,et al.  A Survey of Distance and Similarity Measures Used Within Network Intrusion Anomaly Detection , 2015, IEEE Communications Surveys & Tutorials.

[21]  Rua-Huan Tsaih,et al.  Network-traffic anomaly detection with incremental majority learning , 2015, 2015 International Joint Conference on Neural Networks (IJCNN).

[22]  Paul Barford,et al.  Characteristics of network traffic flow anomalies , 2001, IMW '01.

[23]  VARUN CHANDOLA,et al.  Anomaly detection: A survey , 2009, CSUR.

[24]  Ling Huang,et al.  In-Network PCA and Anomaly Detection , 2006, NIPS.

[25]  Justin Zobel,et al.  How reliable are the results of large-scale information retrieval experiments? , 1998, SIGIR '98.

[26]  Paul Barford,et al.  BasisDetect: a model-based network event detection framework , 2010, IMC '10.

[27]  E. Sober,et al.  The Principle of Parsimony , 1981, The British Journal for the Philosophy of Science.

[28]  Cheng Yao,et al.  Multi‐scale anomaly detection for high‐speed network traffic , 2015, Trans. Emerg. Telecommun. Technol..

[29]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[30]  Ioannis Lambadaris,et al.  Studies in applying PCA and wavelet algorithms for network traffic anomaly detection , 2013, 2013 IEEE 14th International Conference on High Performance Switching and Routing (HPSR).

[31]  Baolin Yin,et al.  Structural analysis of network traffic matrix via relaxed principal component pursuit , 2011, Comput. Networks.

[32]  P. Filzmoser,et al.  Algorithms for Projection-Pursuit Robust Principal Component Analysis , 2007 .

[33]  Albert G. Greenberg,et al.  Experience in measuring backbone traffic variability: models, metrics, measurements and meaning , 2002, IMW '02.

[34]  H. Sebastian Seung,et al.  Algorithms for Non-negative Matrix Factorization , 2000, NIPS.

[35]  Matthew Roughan,et al.  A comparison of information criteria for traffic model selection , 2016, 2016 10th International Conference on Signal Processing and Communication Systems (ICSPCS).

[36]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[37]  Bo Liu,et al.  A Real-Time Detection Approach to Network Traffic Anomalies in Communication Networks , 2016 .

[38]  Hidema Tanaka,et al.  Quantification for Intrusion Detection System Using Discrete Fourier Transform , 2016, 2016 International Conference on Information Science and Security (ICISS).