Abstract
We present a novel technique to detect traffic anomalies based on network flow behavior in different traffic features. Based on the observation that a network has multiple behavior modes, we estimate the modes in each feature component and extract their model parameters during a learning phase. Observed network behavior is then compared to the baseline models by means of a two-layered distance computation: first, component-wise anomaly indices and second, a global anomaly index for each traffic feature enable effective detection of aberrant behavior. Our technique supports on-line detection and incorporation of administrator feedback and does not make use of explicit prior knowledge about normal and abnormal traffic. We expect benefits from the modeling and detection strategy chosen to reliably expose abnormal events of diverse nature at both detection layers while being resilient to seasonal effects. Experiments on simulated and real network traces confirm our expectations in detecting true anomalies without increasing the false positive rate. A comparison of our technique with entropy- and histogram-based approaches demonstrates its ability to reveal anomalies that disappear in the background noise of output signals from these techniques.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Krishnamurthy, B., Sen, S., Zhang, Y., Chen, Y.: Sketch-based Change Detection: Methods, Evaluation, and Applications. In: ACM IMC 2003, pp. 234–247 (2003)
Barford, P., Kline, J., Plonka, D., Ron, A.: A Signal Analysis of Network Traffic Anomalies. In: Internet Measurement Workshop, pp. 71–82. ACM, New York (2002)
Brutlag, J.D.: Aberrant Behavior Detection in Time Series for Network Monitoring. In: LISA, pp. 139–146 (2000)
Lakhina, A., Crovella, M., Diot, C.: Diagnosing Network-wide Traffic Anomalies. In: ACM SIGCOMM 2004, pp. 219–230 (2004)
Lakhina, A., Crovella, M., Diot, C.: Mining Anomalies using Traffic Feature Distributions. In: ACM SIGCOMM 2005, pp. 217–228 (2005)
Gu, Y., McCallum, A., Towsley, D.F.: Detecting Anomalies in Network Traffic Using Maximum Entropy Estimation. In: ACM IMC 2005, pp. 345–350 (2005)
Venkataraman, S., Caballero, J., Song, D., Blum, A., Yates, J.: Black Box Anomaly Detection: Is It Utopian? In: Fifth Workshop on Hot Topics in Networks (HotNets-V) (2006)
Ester, M., Kriegel, H.P., Sander, J., Xu, X.: A Density-Based Algorithm for Discovering Clusters in Large Spatial Databases with Noise. In: ACM Conference on Knowledge Discovery and Data Mining (KDD), pp. 226–231 (1996)
Lippmann, R., Haines, J.W., Fried, D.J., Korba, J., Das, K.: The 1999 DARPA Off-line Intrusion Detection Evaluation. Computer Networks 34(4), 579–595 (2000)
Soule, A., Ringberg, H., Silveira, F., Rexford, J., Diot, C.: Detectability of Traffic Anomalies in Two Adjacent Networks. In: Uhlig, S., Papagiannaki, K., Bonaventure, O. (eds.) PAM 2007. LNCS, vol. 4427, pp. 22–31. Springer, Heidelberg (2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Stoecklin, M.P., Le Boudec, JY., Kind, A. (2008). A Two-Layered Anomaly Detection Technique Based on Multi-modal Flow Behavior Models. In: Claypool, M., Uhlig, S. (eds) Passive and Active Network Measurement. PAM 2008. Lecture Notes in Computer Science, vol 4979. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-79232-1_22
Download citation
DOI: https://doi.org/10.1007/978-3-540-79232-1_22
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-79231-4
Online ISBN: 978-3-540-79232-1
eBook Packages: Computer ScienceComputer Science (R0)