Predictive network anomaly detection and visualization

IEEE Transactions on Information Forensics and Security

Volumn 5, Issue 2, 2010, Pages 288-299

  Celenk, Mehmet ^a   Conley, Thomas ^a   Willis, John ^a   Graham, James ^a  

^a Ohio University   (United States)

Author keywords

Auto regressive moving average (ARMA) modeling; Entropy; Fisher discriminant; Network anomaly; Wiener filtering

Indexed keywords

AUTO-REGRESSIVE MOVING AVERAGE (ARMA) MODELING; AUTOREGRESSIVE MOVING AVERAGE; FISHER DISCRIMINANT; NETWORK ANOMALIES; WIENER FILTERING;

ADAPTIVE FILTERING; ALGORITHMS; ENGINEERS; INTERNET; SIGNAL ENCODING; TRAFFIC CONTROL; TRAFFIC SURVEYS; VISUALIZATION;

ENTROPY;

EID: 77952616174     PISSN: 15566013     EISSN: None     Source Type: Journal    
DOI: 10.1109/TIFS.2010.2041808     Document Type: Article

References (42)

1. R. Kwitt and U. Hofmann, "Unsupervised anomaly detection in network traffic by means of robust PCA, " in Proc. Int. Conf. Computing in the Global Information Technology (ICCGI), 2007, pp. 37-37.
2. G. Shen, D. Chen, and Z. Qin, "Anomaly detection based on aggregated network behavior metrics, " in Proc. Wireless Communications, Networking and Mobile Computing, 2007 (WiCom 2007), pp. 2210-2213.
3. A. Karasaridis, B. Rexroad, and D. Hoeflin, "Wide-scale botnet detection and characterization, " in Proc. First Conf. First Workshop on Hot Topics in Understanding Botnets (HotBots'07), Berkeley, CA, 2007, p. 7, USENIX Association.
4. S. Jin, D. S. Yeung, and X. Wang, "Network intrusion detection in covariance feature space, " Pattern Recognit., vol. 40, no. 8, pp. 2185-2197, 2007. (Pubitemid 46574766)
5. A. Sang and S. Li, "A predictability analysis of network traffic, " in Proc. INFOCOM (1), 2000, pp. 342-351.
6. K. Cho, R. Kaizaki, and A. Kato, "An aggregation technique for traffic monitoring, " in Symp. Applications and the Internet (SAINT) Workshops, 2002, p. 74.
7. R. Pang, V. Yegneswaran, P. Barford, V. Paxson, and L. Peterson, "Characteristics of internet background radiation, " in Proc. ACM Internet Measurement Conf., Oct. 2004, pp. 27-40.
8. A. Feldmann, A. C. Gilbert, and W. Willinger, "Data networks as cascades: Investigating the multifractal nature of internet WAN traffic, " in Proc. SIGCOMM, 1998, pp. 42-55.
9. W. Yurcik and Y. Li, "Internet security visualization case study: Instrumenting a network for netflow security visualization tools, " in Proc. Annual Computer Security Applications Conf. (ACSAC 05), Tucson, AZ, Dec. 5-9, 2005.
10. D. Plonka, "A network traffic flow reporting and visualization tool, " in Proc. 14th USENIX Conf. System Administration, New Orleans, LA, 2000, pp. 305-318.
11. Y. Gong, Security Focus Article: Detecting Worms and Abnormal Activities With NetFlows, Part 1 Aug. 2004 [Online]. Available: http://www.securityfocus. com/infocus/1796
12. Y. Gong, Security Focus Article: Detecting Worms and Abnormal Activities With NetFlows, Part 2 Sep. 2004 [Online]. Available: http://www.securityfocus. com/infocus/1796
13. V. Alarcon-Aquino and J. A. Barria, "Multiresolution FIR neural-network-based learning algorithm applied to network traffic prediction, " IEEE Trans. Syst., Man, Cybern. C, Appl. Rev., vol. 36, no. 2, pp. 208-220, Mar. 2006.
14. Y. Gu, A. McCallum, and D. Towsley, "Detecting anomalies in network traffic using maximum entropy estimation, " in Proc. 5th ACM SIGCOMM Conf. Internet Measurement (IMC '05), New York, 2005, pp. 1-6, ACM.
15. A. Lakhina, M. Crovella, and C. Diot, Mining Anomalies Using Traffic Distributions CS Department, Boston University, Tech. Rep. 2005-002, Feb. 2005.
16. S. Foresti, J. Agutter, Y. Livnat, S. Moon, and R. F. Erbacher, "Visual correlation of network alerts, " IEEE Comput. Graphics Applicat., vol. 26, no. 2, pp. 48-59, Mar./Apr. 2006.
17. R. Eimann, U. Speidel, N. Brownlee, and J. Yang, Network Event Detection With T-Entropy Centre for Discrete Mathematics and Theoretical Computer Science, University of Auckland, New Zealand, Rep. CDMTCS-266, May 2005.
18. A. Lall, V. Sekar, M. Ogihara, J. J. Xu, and H. Zhang, Data Streaming Algorithms for Estimating Entropy of Network Traffic Computer Science Department, University of Rochester, Tech. Rep. TR886, Nov. 2005.
19. E. F. Harrington, "Measuring network change: Rényi cross entropy and the second order degree distribution, " in Proc. Passive and Active Measurement (PAM) Conf., Adelaide, Australia, Mar. 2006.
20. S. Gianvecchio and H. Wang, "Detecting covert timing channels: An entropy-based approach, " in Proc. ACM Conf. Computer and Communications Security, 2007, pp. 307-316.
21. S. S. Kim, A. L. N. Reddy, and M. Vannucci, "Detecting traffic anomalies through aggregate analysis of packet header data, " in Networking. New York: Springer, 2004, vol. 3042, pp. 1047-1059.
22. M. Celenk, T. Conley, J. Graham, and J. Willis, "Anomaly prediction in network traffic using adaptive Wiener filtering and ARMA modeling, " in Proc. IEEE Int. Conf. Systems, Man, and Cybernetics, Oct. 2008, pp. 3548-3553.
23. X. Fu, B. Graham, R. Bettati, and W. Zhao, "On effectiveness of link padding for statistical traffic analysis attacks, " in Proc. 23rd IEEE Int. Conf. Distributed Computing Systems (ICDCS '03), Washington, DC, 2003, p. 340.
24. A. Wagner and B. Plattner, "Entropy based worm and anomaly detection in fast IP networks, " in Proc. 14th IEEE Int. Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprise, Washington, DC, 2005, pp. 172-177.
25. M. Thottan and C. Ji, "Anomaly detection in IP networks, " IEEE Trans. Signal Process., vol. 51, no. 8, pp. 2191-2204, Aug. 2003.
26. H. Hajji, "Statistical analysis of network traffic for adaptive faults detection, " IEEE Trans. Neural Netw., vol. 16, no. 5, pp. 1053-1063, Sep. 2005.
27. S. R. Gaddam and K. S. Balagani, "K-Means+ID3: A novel method for supervised anomaly detection by cascading K-Means clustering and ID3 decision tree learning methods, " IEEE Trans. Knowl. Data Eng., vol. 19, no. 3, pp. 345-354, Mar. 2007.
28. A. Ziviani, M. L. Monsores, P. S. S. Rodrigues, and A. T. A. Gomes, "Network anomaly detection using nonextensive entropy, " IEEE Commun. Lett., vol. 11, no. 12, pp. 1034-1036, Dec. 2007.
29. S. S. Kim and A. L. N. Reddy, "Statistical techniques for detecting traffic anomalies through packet header data, " IEEE/ACM Trans. Netw., vol. 16, no. 3, pp. 562-575, Jun. 2008.
30. G. Androulidakis, V. Chatzigiannakis, and S. Papavassiliou, "Network anomaly detection and classification via opportunistic sampling, " IEEE Network, vol. 23, no. 1, pp. 6-12, Jan./Feb. 2009.
31. S. Theodoridis and K. Koutroumbas, Pattern Recognition, 3rd ed. New York: Academic, Feb. 2006.
32. B. Porat, Digital Processing of Random Signals Theory and Methods. Englewood Cliffs, NJ: Prentice-Hall, 1994.
33. S. M. Asmoredjo, "A Probabilistic Model for Cyber Attacks and Protection, " Master's thesis, Delft University of Technology, Delft, The Netherlands, Jun. 2005.
34. A. Schneider, "Methods of Internet Worm Propagation, " Master's thesis, Wake Forest University, Winston-Salem, NC, 2009, 27109.
35. G. Travis, E. Balas, D. A. J. Ripley, and S. Wallace, Analysis of the "SQL Slammer" Worm and Its Effects on Indiana University and Related Institutions Feb. 2003 [Online]. Available: http://paintsquirrel. ucs.indiana.edu/pdf/SLAMMER.pdf, pp. 1-18
36. M. Abu Rajab, F. Monrose, and A. Terzis, "Worm evolution tracking via timing analysis, " in Proc. 2005 ACM Workshop on Rapid Malcode (WORM '05), New York, 2005, pp. 52-59.
37. B. C. Bag, S. K. Banik, and D. S. Ray, "The noise properties of stochastic processes and entropy production, " Phys. Rev. E, vol. 64, p. 026110, 2001.
38. M. Celenk, T. Conley, J. Willis, and J. Graham, "Anomaly detection and visualization using Fisher discriminant clustering of network entropy, " in Proc. IEEE Third Int. Conf. Digital Information Management (ICDIM 2008), Nov. 2008, pp. 216-220.
39. W. Stallings, Data and Computer Communications (7th Edition). Englewood Cliffs, NJ: Prentice-Hall, 2004.
40. J. S. Lim, Two-Dimensional Signal and Image Processing. Engle-wood Cliffs, NJ: Prentice-Hall, 1990.
41. W. L. Crum, "Tests for serial correlation in regression analysis based on the periodogram of least-squares residuals, " J. Amer. Statist. Assoc., vol. 18, no. 143, pp. 889-899, Sep. 1923.
42. J. Durbin, "The resemblance between the ordinate of the periodogram and the correlation coefficient, " Biometrika, vol. 56, no. 1, pp. 1-15, Mar. 1969.