论文信息 - Anomaly Detections in Internet traffic Using Empirical Measures

Anomaly Detections in Internet traffic Using Empirical Measures

Introducing Internet traffic anomaly detection mechanism based on large deviations results for empirical measures. Using past traffic traces we characterize network traffic during various time-of-day intervals, assuming that it is anomaly-free. Throughout, we compare the two approaches presenting their advantages and disadvantages to identify and classify temporal network anomalies. We also demonstrate how our framework can be used to monitor traffic from multiple network elements in order to identify both spatial and temporal anomalies. We validate our techniques by analyzing real traffic traces with time-stamped anomalies.

[1] R.K. Cunningham,et al. Evaluating intrusion detection systems: the 1998 DARPA off-line intrusion detection evaluation , 2000, Proceedings DARPA Information Survivability Conference and Exposition. DISCEX'00.

[2] Richard Lippmann,et al. The 1999 DARPA off-line intrusion detection evaluation , 2000, Comput. Networks.

[3] Ioannis Ch. Paschalidis,et al. On the estimation of buffer overflow probabilities from measurements , 2001, IEEE Trans. Inf. Theory.

[4] Paul Barford,et al. A signal analysis of network traffic anomalies , 2002, IMW '02.

[5] W. Hoeffding. Asymptotically Optimal Tests for Multinomial Distributions , 1965 .

[6] Vern Paxson,et al. Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[7] Martin Roesch,et al. Snort - Lightweight Intrusion Detection for Networks , 1999 .

[8] Amir Dembo,et al. Large Deviations Techniques and Applications , 1998 .

[9] Ioannis Ch. Paschalidis,et al. Model-based estimation of buffer overflow probabilities from measurements , 2001, SIGMETRICS '01.

[10] Somesh Jha,et al. An architecture for generating semantics-aware signatures , 2005 .