Particle Filtering as a Modeling Tool for Anomaly Detection in Networks

When linearity can be rigorously assumed for stochastic processes, the linear Kalman filter can be used as a powerful tool for anomaly detection in communication networks. However, this assumption done with a strong evidence is not generally proved in a rigorous way. So it is important to develop other methodology, for the scope of anomaly detection, which are not obliged to be based on that assumption. This paper is focused on the use of particle filtering to build a normal behavioral model for an anomaly detector. The particle filter is calibrated for entropy reduction for the scope of noise reduction in the measurements. With the help of a mixture of normal distributions, we can reuse the filtered observations to identify anomalous events in a few number of classes. Generally anomalies might be rare and thus they might happen on a few clusters. So, using a new decision process based on a hidden markov model, we can track and identify the potential abnormal clusters. We study the performances of this system by analyzing the false alarm rate vs detection rate trade-off by means of Receiver Operating Characteristic curve, and compare the results with the Kalman filter. We validate the approach to track volume anomalies over real network traffic.

[1]  Brian D. Ripley,et al.  Stochastic Simulation , 2005 .

[2]  Kavé Salamatian,et al.  A Robust Anomaly Detection Technique Using Combined Statistical Methods , 2011, 2011 Ninth Annual Communication Networks and Services Research Conference.

[3]  P. Fearnhead,et al.  Improved particle filter for nonlinear problems , 1999 .

[4]  Nando de Freitas,et al.  Sequential Monte Carlo Methods in Practice , 2001, Statistics for Engineering and Information Science.

[5]  Peter S. Maybeck,et al.  Stochastic Models, Estimation And Control , 2012 .

[6]  Kavé Salamatian,et al.  Signal Processing-based Anomaly Detection Techniques: A Comparative Analysis , 2011 .

[7]  Niclas Bergman,et al.  Recursive Bayesian Estimation : Navigation and Tracking Applications , 1999 .

[8]  Nando de Freitas,et al.  An Introduction to Sequential Monte Carlo Methods , 2001, Sequential Monte Carlo Methods in Practice.

[9]  R. Shumway,et al.  AN APPROACH TO TIME SERIES SMOOTHING AND FORECASTING USING THE EM ALGORITHM , 1982 .

[10]  Mark Crovella,et al.  Characterization of network-wide anomalies in traffic flows , 2004, IMC '04.

[11]  N. Gordon,et al.  Novel approach to nonlinear/non-Gaussian Bayesian state estimation , 1993 .

[12]  Neil J. Gordon,et al.  A tutorial on particle filters for online nonlinear/non-Gaussian Bayesian tracking , 2002, IEEE Trans. Signal Process..

[13]  Jun S. Liu,et al.  Sequential Monte Carlo methods for dynamic systems , 1997 .

[14]  Joseph Ndong Anomaly detection: A technique using Kalman filtering and principal component analysis: (518112013-014) , 2012 .

[15]  Andrew Blake,et al.  A Probabilistic Exclusion Principle for Tracking Multiple Objects , 2000, Proceedings of the Seventh IEEE International Conference on Computer Vision.

[16]  Joseph Ndong Anomaly Detection: A Technique Using Kalman Filtering and Principal Component Analysis , 2012 .

[17]  A. Doucet On sequential Monte Carlo methods for Bayesian filtering , 1998 .