Histogram-based traffic anomaly detection

IEEE Transactions on Network and Service Management

Volumn 6, Issue 2, 2009, Pages 110-121

  Kind, Andreas ^a   Stoecklin, Marc ^a   Dimitropoulos, Xenofontas ^b  

^a IBM RESEARCH ZURICH   (Switzerland)

^b ETH ZURICH   (Switzerland)

Author keywords

Computer network security, monitoring, clustering methods

Indexed keywords

ANOMALY DETECTION; ANOMALY DETECTION MODELS; CLUSTERING METHODS; DESIGN OPTION; FEATURE-BASED; HISTOGRAM MODELS; IMPACT PERFORMANCE; IP ADDRESSS; NETWORK ANOMALIES; NETWORK TRAFFIC; NEW APPROACHES; PACKET HEADER; PORT NUMBERS; RESEARCH EFFORTS; SERVICE LEVEL AGREEMENTS; TECHNICAL DETAILS; TRAFFIC ANOMALIES; TRAFFIC FEATURES;

CLUSTERING ALGORITHMS; INTERNET; WIRELESS TELECOMMUNICATION SYSTEMS;

NETWORK SECURITY;

EID: 75149179043     PISSN: 19324537     EISSN: None     Source Type: Journal    
DOI: 10.1109/TNSM.2009.090604     Document Type: Article

References (21)

1. J. Schwarz, "Who needs hackers?" New York Times, Sept. 12, 2007.
2. P. Barford, J. Kline, D. Plonka, and A. Ron, "A signal analysis of network traffic anomalies," in Proc. ACM SIGCOMM Internet Measurement Workshop, Nov. 2002, pp. 71-82.
3. J. Brutlag, "Aberrant behavior detection in timeseries for network monitoring," in Proc. USENIX LISA, Nov. 2002.
4. A. Lakhina, M. Crovella, and C. Diot, "Diagnosing network-wide traffic anomalies," in ACM SIGCOMM, Aug. 2004.
5. B. Krishnamurthy, S. Sen, Y. Zhang, and Y. Chen, "Sketch-based change detection: Methods, evaluation, and applications," in Proc. ACM SIGCOMM Internet Measurement Conf., Oct. 2003.
6. Y. Zhang, Z. Ge, A. Greenberg, and M. Roughan, "Network anomography," in Proc. ACM SIGCOMM Internet Measurement Conf., Oct. 2005.
7. M. Thottan and C. Ji, "Anomaly detection in IP networks," IEEE Trans. Signal Processing, vol.51, no.8, pp. 2191-2204, Aug. 2003.
8. A. Lakhina, M. Crovella, and C. Diot, "Mining anomalies using traffic feature distributions," in ACM SIGCOMM '05, 2005, pp. 217-228.
9. H. Ringberg, A. Soule, J. Rexford, and C. Diot, "Sensitivity of pca for traffic anomaly detection," in SIGMETRICS '07: Proc. 2007 ACM SIGMETRICS International Conf. Measurement Modeling Computer Systems. New York, NY, USA: ACM, 2007, pp. 109-120.
10. Y. Gu, A. McCallum, and D. Towsley, "Detecting anomalies in network traffic using maximum entropy estimation," in IMC'05: Proc. Internet Measurement Conf. 2005 Internet Measurement Conf.. Berkeley, CA, USA: USENIX Association, 2005, pp. 32-32
11. A. Wagner and B. Plattner, "Entropy based worm and anomaly detection in fast ip networks," in WETICE '05: Proc. 14th IEEE International Workshops Enabling Technologies: Infrastructure Collaborative Enterprise. Washington, DC, USA: IEEE Computer Society, 2005, pp. 172-177.
12. H. Ringberg, A. Soule, and J. Rexford, "Webclass: adding rigor to manual labeling of traffic anomalies," SIGCOMM Comput. Commun. Rev., vol.38, no.1, pp. 35-38, 2008.
13. A. Soule, H. Larsen, F. Silveira, J. Rexford, and C. Diot, "Detectability of traffic anomalies in two adjacent networks," in Proc. Passive Active Measurements (PAM) Conf., Apr. 2007.
14. D. Brauckhoff, B. Tellenbach, A. Wagner, M. May, and A. Lakhina, "Impact of packet sampling on anomaly detection metrics," in IMC '06: Proc. 6th ACM SIGCOMM Internet Measurement. New York, NY, USA: ACM Press, 2006, pp. 159-164.
15. A. Scherrer, N. Larrieu, P. Owezarski, P. Borgnat, and P. Abry, "Nongaussian and long memory statistical characterizations for internet traffic with anomalies," IEEE/ACM Trans. Dependable Secure Computing, vol.4, no.1, pp. 56-70, 2007. (Pubitemid 46384621)
16. M. Ph. Stoecklin, J.-Y. Le Boudec, and A. Kind, "A two-layered anomaly detection technique based on multi-modal flow behavior models," in Proc. Passive Active Measurements (PAM) Conf., Apr. 2008.
17. A. Frei and M. Rennhard, "Histogram matrix: Log file visualization for anomaly detection," in Proc. Third International Conf. Availability, Reliability Security, 2008, pp. 610-617.
18. V. Chandola, A. Banerjee, and V. Kumar, "Anomaly detection: A survey," ACM Computing Surveys, vol. to appear, 2009.
19. Calinski and Harabasz, "A dendrite method for cluster analysis," Commun. Statistics, vol.3, no.1, pp. 1-27, 1974.
20. G. W. Milligan and M. Cooper, "An examination of procedures for determining the number of clusters in a data set," Psychometrika, vol.50, pp. 159-179, 1985.
21. Lincoln Laboratory, "DARPA intrusion detection evaluation," [Online]. Available: http://www.ll.mit.edu/mission/communications/ist/corpora/ ideval/, MIT, 2001.