Uncovering network traffic anomalies based on their sparse distributions

Characterizing network traffic with higher-dimensional features results in increased complexity of most detectors and classifiers for identifying traffic anomalies. Several key observations from existing studies confirm that network anomalies are typically distributed in a sparse way, with each anomaly essentially characterized by its lower-dimensional features. Based on this important finding, we exploit sparsity in designing a novel detection method for anomalies that ignores redundancies that are dynamically filtered from the feature sets and accurately classifies anomalies. Comparison of our method with three well known techniques shows a 10% improvement in accuracy with an O (n) complexity of the classifier.

[1]  George Nychis,et al.  An Empirical Evaluation of Entropy-based Anomaly Detection , 2007 .

[2]  Mark Crovella,et al.  Mining anomalies using traffic feature distributions , 2005, SIGCOMM '05.

[3]  George Varghese,et al.  Proceedings of the 2001 conference on Applications, technologies, architectures, and protocols for computer communications , 2001, SIGCOMM 2001.

[4]  Walter Willinger,et al.  Spatio-temporal compressive sensing and internet traffic matrices , 2009, SIGCOMM '09.

[5]  Fernando Silveira,et al.  URCA: Pulling out Anomalies by their Root Causes , 2010, 2010 Proceedings IEEE INFOCOM.

[6]  Sally Floyd,et al.  Wide area traffic: the failure of Poisson modeling , 1995, TNET.

[7]  Walter Willinger,et al.  On the self-similar nature of Ethernet traffic , 1993, SIGCOMM '93.

[8]  Vyas Sekar,et al.  An empirical evaluation of entropy-based traffic anomaly detection , 2008, IMC '08.

[9]  Walter Willinger,et al.  On the Self-Similar Nature of Ethernet Traffic ( extended version ) , 1995 .

[10]  Amarnath Mukherjee,et al.  On Long-Range Dependence in NSFNET Traffic , 1994 .

[11]  N. Huang,et al.  The empirical mode decomposition and the Hilbert spectrum for nonlinear and non-stationary time series analysis , 1998, Proceedings of the Royal Society of London. Series A: Mathematical, Physical and Engineering Sciences.

[12]  Paul Barford,et al.  A signal analysis of network traffic anomalies , 2002, IMW '02.

[13]  Murad S. Taqqu,et al.  On the Self-Similar Nature of Ethernet Traffic , 1993, SIGCOMM.

[14]  Jennifer Rexford,et al.  Sensitivity of PCA for traffic anomaly detection , 2007, SIGMETRICS '07.

[15]  Sun Ya-min Anomaly detection algorithm based on fractal characteristics of large-scale network traffic , 2009 .

[16]  Mark Crovella,et al.  Diagnosing network-wide traffic anomalies , 2004, SIGCOMM '04.

[17]  DiotChristophe,et al.  Mining anomalies using traffic feature distributions , 2005 .

[18]  Deepak S. Turaga,et al.  Consensus extraction from heterogeneous detectors to improve performance over network traffic anomaly detection , 2011, 2011 Proceedings IEEE INFOCOM.

[19]  Farnam Jahanian,et al.  A comparative study of two network-based anomaly detection methods , 2011, 2011 Proceedings IEEE INFOCOM.

[20]  Ramesh Govindan,et al.  ASTUTE: detecting a different class of traffic anomalies , 2010, SIGCOMM '10.