article

Mining anomalies using traffic feature distributions

Authors:

Anukool Lakhina,

Christophe DiotAuthors Info & Claims

ACM SIGCOMM Computer Communication Review, Volume 35, Issue 4

Pages 217 - 228

https://doi.org/10.1145/1090191.1080118

Published: 22 August 2005 Publication History

Abstract

The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for anomaly diagnosis is as yet unmet. We argue that the distributions of packet features (IP addresses and ports) observed in flow traces reveals both the presence and the structure of a wide range of anomalies. Using entropy as a summarization tool, we show that the analysis of feature distributions leads to significant advances on two fronts: (1) it enables highly sensitive detection of a wide range of anomalies, augmenting detections by volume-based methods, and (2) it enables automatic classification of anomalies via unsupervised learning. We show that using feature distributions, anomalies naturally fall into distinct and meaningful clusters. These clusters can be used to automatically classify anomalies and to uncover new anomaly types. We validate our claims on data from two backbone networks (Abilene and Geant) and conclude that feature distributions show promise as a key element of a fairly general network anomaly diagnosis framework.

References

[1]

Abilene Network Operations Center Weekly Reports. At http://www.abilene.iu.edu/routages.cgi.]]

[2]

Arbor Networks. At http://www.arbornetworks.com/.]]

[3]

P. Barford, J. Kline, D. Plonka, and A. Ron. A signal analysis of network traffic anomalies. In Internet Measurement Workshop, Marseille, November 2002.]]

Digital Library

[4]

J. Brutlag. Aberrant behavior detection in timeseries for network monitoring. In USENIX LISA, New Orleans, December 2000.]]

Digital Library

[5]

Cisco NetFlow. At www.cisco.com/warp/public/732/Tech/netflow/.]]

[6]

D. Denning. An Intrusion-Detection Model. IEEE Transactions on Software Engineering, February 1987.]]

Digital Library

[7]

R. Dunia and S. J. Qin. A subspace approach to multidimensional fault identification and reconstruction. American Institute of Chemical Engineers (AIChE) Journal, pages 1813--1831, 1998.]]

[8]

C. Estan, S. Savage, and G. Varghese. Automatically Inferring Patterns of Resource Consumption in Network Traffic. In ACM SIGCOMM, Karlsruhe, August 2003.]]

Digital Library

[9]

L. Feinstein, D. Schnackenberg, R. Balupari, and D. Kindred. Statistical Approaches to DDoS Attack Detection and Response. DARPA Information Survivability Conference and Exposition (DISCEX), pages 303--314, April 2003.]]

[10]

A. Feldmann, A. Greenberg, C. Lund, N. Reingold, J. Rexford, and F. True. Deriving traffic demands for operational IP networks: Methodology and experience. In IEEE/ACM Transactions on Neworking, pages 265--279, June 2001.]]

Digital Library

[11]

A. Hussain, J. Heidemann, and C. Papadopoulos. A Framework for Classifying Denial of Service Attacks. In ACM SIGCOMM, Karlsruhe, August 2003.]]

Digital Library

[12]

J. Jung and B. Krishnamurthy and M. Rabinovich. Flash Crowds and Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites. In WWW, Hawaii, May 2002.]]

Digital Library

[13]

J. E. Jackson and G. S. Mudholkar. Control procedures for residuals associated with Principal Component Analysis. Technometrics, pages 331--349, 1979.]]

[14]

J. Jung, V. Paxson, A. Berger, and H. Balakrishnan. Fast Portscan Detection Using Sequential Hypothesis Testing. In IEEE Symposium on Security and Privacy, May 2004.]]

[15]

Juniper Traffic Sampling. At www.juniper.net/techpubs/software/junos/junos60/swconfig60-policy/html/sampling-overview.html.]]

[16]

H. A. L. Kiers. Towards a standardized notation and terminology in multiway analysis. J. of Chemometrics, pages 105--122, 2000.]]

[17]

H.-A. Kim and B. Karp. Autograph: Toward Automated, Distributed Worm Signature Detection. In Usenix Security Symposium, San Diego, August 2004.]]

Digital Library

[18]

M.-S. Kim, H.-J. Kang, S.-C. Hung, S.-H. Chung, and J. W. Hong. A Flow-based Method for Abnormal Network Traffic Detection. In IEEE/IFIP Network Operations and Management Symposium, Seoul, April 2004.]]

[19]

S. Kim and A. L. N. Reddy. A Study of Analyzing Network Traffic as Images in Real-Time. In IEEE INFOCOM, 2005.]]

[20]

S. Kim, A. L. N. Reddy, and M. Vannucci. Detecting Traffic Anomalies through Aggregate Analysis of Packet Header Data. In Networking, 2004.]]

[21]

E. Kohler, J. Li, V. Paxson, and S. Shenker. Observed Structure of Addresses in IP Traffic. In Internet Measurement Workshop, Marseille, November 2002.]]

Digital Library

[22]

A. Lakhina, M. Crovella, and C. Diot. Characterization of Network-Wide Anomalies in Traffic Flows (Short Paper). In Internet Measurement Conference, 2004.]]

Digital Library

[23]

A. Lakhina, M. Crovella, and C. Diot. Diagnosing Network-Wide Traffic Anomalies. In ACM SIGCOMM, Portland, August 2004.]]

Digital Library

[24]

A. Lakhina, M. Crovella, and C. Diot. Mining Anomalies Using Traffic Feature Distributions. Technical Report BUCS-TR-2005-002, Boston University, 2005.]]

Digital Library

[25]

A. Lakhina, K. Papagiannaki, M. Crovella, C. Diot, E. D. Kolaczyk, and N. Taft. Structural Analysis of Network Traffic Flows. In ACM SIGMETRICS, New York, June 2004.]]

Digital Library

[26]

W. Lee and D. Xiang. Information-Theoretic Measures for Anomaly Detection. In IEEE Symposium on Security and Privacy, Oakland, CA, May 2001.]]

Digital Library

[27]

Pathdiag: Network Path Diagnostic Tools. At http://www.psc.edu/~web100/pathdiag/.]]

[28]

J. Pei, S. J. Upadhyaya, F. Farooq, and V. Govindaraju. Data Mining for Intrusion Detection - Techniques, Applications and Systems. In ICDE Tutorial, 2004.]]

Digital Library

[29]

Riverhead Networks. At http://www.riverhead.com/.]]

[30]

M. Roughan, T. Griffin, Z. M. Mao, A. Greenberg, and B. Freeman. Combining Routing and Traffic Data for Detection of IP Forwarding Anomalies. In ACM SIGCOMM NeTs Workshop, Portland, August 2004.]]

Digital Library

[31]

S. Sarvotham, R. Riedi, and R. Baraniuk. Network Traffic Analysis and Modeling at the Connection Level. In Internet Measurement Workshop, San Francisco, November 2001.]]

Digital Library

[32]

S. Schechter, J. Jung, and A. Berger. Fast Detection of Scanning Worm Infections. In Seventh International Symposium on Recent Advances in Intrusion Detection (RAID), Sophia Antipolois, France, September 2004.]]

[33]

SLAC Internet End-to-end Performance Monitoring (IEPM-BW project). At http://www-iepm.slac.stanford.edu/bw/.]]

[34]

M. Thottan and C. Ji. Anomaly Detection in IP Networks. IEEE Trans. Signal Processing (Special issue of Signal Processing in Networking), pages 2191--2204, August 2003.]]

[35]

K. Xu, Z.-L. Zhang, and S. Bhattacharyya. Profiling Internet Backbone Traffic: Behavior Models and Applications. In ACM SIGCOMM, 2005.]]

Digital Library

[36]

Y. Zhang, S. Singh, S. Sen, N. Duffield, and C. Lund. Online Identification of Hierarchical Heavy Hitters: Algorithms, Evaluation, and Applications. In Internet Measurement Conference, Taormina, Italy, October 2004.]]

Digital Library

Cited By

Li XXie KWang XXie GLi KCao JZhang DWen J(2024)A Light-Weight and Robust Tensor Convolutional Autoencoder for Anomaly DetectionIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2023.333278436:9(4346-4360)Online publication date: Sep-2024
https://doi.org/10.1109/TKDE.2023.3332784
Huynh PSingh GYadav OLe TLe C(2024)Unsupervised Anomaly Detection in Electric Power Networks Using Multi-Layer Auto-Encoders2024 Annual Reliability and Maintainability Symposium (RAMS)10.1109/RAMS51492.2024.10457681(1-6)Online publication date: 22-Jan-2024
https://doi.org/10.1109/RAMS51492.2024.10457681
Saygılı MÖzelgül SÖztürk İKaraca KGedik AAkcayol M(2024)Anomaly Detection on Servers Using Log Analysis2024 8th International Artificial Intelligence and Data Processing Symposium (IDAP)10.1109/IDAP64064.2024.10710799(1-5)Online publication date: 21-Sep-2024
https://doi.org/10.1109/IDAP64064.2024.10710799
Show More Cited By

Index Terms

Mining anomalies using traffic feature distributions
1. Networks
  1. Network services

Recommendations

Mining anomalies using traffic feature distributions
SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

The increasing practicality of large-scale flow capture makes it possible to conceive of traffic analysis methods that detect and identify a large and diverse set of anomalies. However the challenge of effectively analyzing this massive data source for ...
Diagnosing network-wide traffic anomalies

Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret ...
Diagnosing network-wide traffic anomalies
SIGCOMM '04: Proceedings of the 2004 conference on Applications, technologies, architectures, and protocols for computer communications

Anomalies are unusual and significant changes in a network's traffic levels, which can often span multiple links. Diagnosing anomalies is critical for both network operators and end users. It is a difficult problem because one must extract and interpret ...

Comments

Information & Contributors

Information

Published In

cover image ACM SIGCOMM Computer Communication Review

ACM SIGCOMM Computer Communication Review Volume 35, Issue 4

Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications

October 2005

324 pages

ISSN:0146-4833

DOI:10.1145/1090191

Issue’s Table of Contents

SIGCOMM '05: Proceedings of the 2005 conference on Applications, technologies, architectures, and protocols for computer communications
August 2005
350 pages
ISBN:1595930094
DOI:10.1145/1080091
General Chair:
Roch Guerin
University of Pennsylvania
,
Program Chairs:
Ramesh Govindan
University of Southern California
,
Greg Minshall
Unaffiliated

Copyright © 2005 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 August 2005

Published in SIGCOMM-CCR Volume 35, Issue 4

Check for updates

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

916
Total Citations
View Citations
5,118
Total Downloads

Downloads (Last 12 months)216
Downloads (Last 6 weeks)30

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Li XXie KWang XXie GLi KCao JZhang DWen J(2024)A Light-Weight and Robust Tensor Convolutional Autoencoder for Anomaly DetectionIEEE Transactions on Knowledge and Data Engineering10.1109/TKDE.2023.333278436:9(4346-4360)Online publication date: Sep-2024
https://doi.org/10.1109/TKDE.2023.3332784
Huynh PSingh GYadav OLe TLe C(2024)Unsupervised Anomaly Detection in Electric Power Networks Using Multi-Layer Auto-Encoders2024 Annual Reliability and Maintainability Symposium (RAMS)10.1109/RAMS51492.2024.10457681(1-6)Online publication date: 22-Jan-2024
https://doi.org/10.1109/RAMS51492.2024.10457681
Saygılı MÖzelgül SÖztürk İKaraca KGedik AAkcayol M(2024)Anomaly Detection on Servers Using Log Analysis2024 8th International Artificial Intelligence and Data Processing Symposium (IDAP)10.1109/IDAP64064.2024.10710799(1-5)Online publication date: 21-Sep-2024
https://doi.org/10.1109/IDAP64064.2024.10710799
Qureshi NMeça A(2024)The Way of Machine Learning Based Solicit for Detecting Deceit in Online Based Transaction System with Security2024 4th International Conference on Advance Computing and Innovative Technologies in Engineering (ICACITE)10.1109/ICACITE60783.2024.10616595(1316-1321)Online publication date: 14-May-2024
https://doi.org/10.1109/ICACITE60783.2024.10616595
Layeghy SGallagher MPortmann M(2024)Benchmarking the benchmark — Comparing synthetic and real-world Network IDS datasetsJournal of Information Security and Applications10.1016/j.jisa.2023.10368980(103689)Online publication date: Feb-2024
https://doi.org/10.1016/j.jisa.2023.103689
Chaurasia BVerma AVerma P(2024)An in-depth and insightful exploration of failure detection in distributed systemsComputer Networks10.1016/j.comnet.2024.110432247(110432)Online publication date: Jun-2024
https://doi.org/10.1016/j.comnet.2024.110432
Jorge MRubén C(2024)Time series clustering with random convolutional kernelsData Mining and Knowledge Discovery10.1007/s10618-024-01018-x38:4(1862-1888)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1007/s10618-024-01018-x
Adedeji KAbu-Mahfouz AKurien A(2023)DDoS Attack and Detection Methods in Internet-Enabled Networks: Concept, Research Perspectives, and ChallengesJournal of Sensor and Actuator Networks10.3390/jsan1204005112:4(51)Online publication date: 6-Jul-2023
https://doi.org/10.3390/jsan12040051
Long GZhang Z(2023)Deep Encrypted Traffic DetectionComputational Intelligence and Neuroscience10.1155/2023/33166422023Online publication date: 1-Jan-2023
https://dl.acm.org/doi/10.1155/2023/3316642
Xin YJiangxue MXiaoyu WXinggang LYou G(2023)Research on intelligent power communication network management system based on BP neural networkProceedings of the 2023 8th International Conference on Intelligent Information Processing10.1145/3635175.3635183(35-39)Online publication date: 21-Nov-2023
https://dl.acm.org/doi/10.1145/3635175.3635183
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents