A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models

  • Marc Ph. Stoecklin
  • Jean-Yves Le Boudec
  • Andreas Kind
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4979)


We present a novel technique to detect traffic anomalies based on network flow behavior in different traffic features. Based on the observation that a network has multiple behavior modes, we estimate the modes in each feature component and extract their model parameters during a learning phase. Observed network behavior is then compared to the baseline models by means of a two-layered distance computation: first, component-wise anomaly indices and second, a global anomaly index for each traffic feature enable effective detection of aberrant behavior. Our technique supports on-line detection and incorporation of administrator feedback and does not make use of explicit prior knowledge about normal and abnormal traffic. We expect benefits from the modeling and detection strategy chosen to reliably expose abnormal events of diverse nature at both detection layers while being resilient to seasonal effects. Experiments on simulated and real network traces confirm our expectations in detecting true anomalies without increasing the false positive rate. A comparison of our technique with entropy- and histogram-based approaches demonstrates its ability to reveal anomalies that disappear in the background noise of output signals from these techniques.


Learning Phase Behavior Mode Detection Phase Deviation Vector Abnormal Event 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based Change Detection: Methods, Evaluation, and Applications. In: ACM IMC 2003, pp. 234–247 (2003)Google Scholar
  2. 2.
    Barford, P., Kline, J., Plonka, D., Ron, A.: A Signal Analysis of Network Traffic Anomalies. In: Internet Measurement Workshop, pp. 71–82. ACM, New York (2002)Google Scholar
  3. 3.
    Brutlag, J.D.: Aberrant Behavior Detection in Time Series for Network Monitoring. In: LISA, pp. 139–146 (2000)Google Scholar
  4. 4.
    Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-wide Traffic Anomalies. In: ACM SIGCOMM 2004, pp. 219–230 (2004)Google Scholar
  5. 5.
    Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies using Traffic Feature Distributions. In: ACM SIGCOMM 2005, pp. 217–228 (2005)Google Scholar
  6. 6.
    Gu, Y., McCallum, A., Towsley, D.F.: Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation. In: ACM IMC 2005, pp. 345–350 (2005)Google Scholar
  7. 7.
    Venkataraman, S., Caballero, J., Song, D., Blum, A., Yates, J.: Black Box Anomaly Detection: Is It Utopian? In: Fifth Workshop on Hot Topics in Networks (HotNets-V) (2006)Google Scholar
  8. 8.
    Ester, M., Kriegel, H.P., Sander, J., Xu, X.: A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In: ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 226–231 (1996)Google Scholar
  9. 9.
    Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)CrossRefGoogle Scholar
  10. 10.
    Soule, A., Ringberg, H., Silveira, F., Rexford, J., Diot, C.: Detectability of Traffic Anomalies in Two Adjacent Networks. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 22–31. Springer, Heidelberg (2007)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Marc Ph. Stoecklin
    • 1
  • Jean-Yves Le Boudec
    • 2
  • Andreas Kind
    • 1
  1. 1.IBM Zurich Research Laboratory 
  2. 2.Ecole Polytechnique Fédérale de Lausanne (EPFL) 

Personalised recommendations