Article

Combining filtering and statistical methods for anomaly detection

Authors:

Augustin Soule,

Kavé Salamatian,

Nina TaftAuthors Info & Claims

IMC '05: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement

Page 31

Published: 19 October 2005 Publication History

Publisher Site Get Access

Abstract

In this work we develop an approach for anomaly detection for large scale networks such as that of an enterprize or an ISP. The traffic patterns we focus on for analysis are that of a network-wide view of the traffic state, called the traffic matrix. In the first step a Kalman filter is used to filter out the "normal" traffic. This is done by comparing our future predictions of the traffic matrix state to an inference of the actual traffic matrix that is made using more recent measurement data than those used for prediction. In the second step the residual filtered process is then examined for anomalies. We explain here how any anomaly detection method can be viewed as a problem in statistical hypothesis testing. We study and compare four different methods for analyzing residuals, two of which are new. These methods focus on different aspects of the traffic pattern change. One focuses on instantaneous behavior, another focuses on changes in the mean of the residual process, a third on changes in the variance behavior, and a fourth examines variance changes over multiple timescales. We evaluate and compare all of these methods using ROC curves that illustrate the full tradeoff between false positives and false negatives for the complete spectrum of decision thresholds.

References

[1]

{1} A. MARKOPOULOU, IANNACCONE, G., BHATTACHARYYA, S., CHUAH, C., AND DIOT, C. Characterization of Failures in an IP Backbone. In: IEEE Infocom (March 2004).]]

[2]

{2} BARFORD, P., KLINE, J., PLONKA, D., AND RON, A. A signal analysis of network traffic anomalies. ACM Sigcomm IMW (2002).]]

Digital Library

[3]

{3} BARFORD, P., AND PLONKA, D. Characterisitics of network traffic flow anomalies. In ACM IMW (Nov. 2001).]]

Digital Library

[4]

{4} BASSEVILLE, M., AND NIKIFOROV, I. Detection of abrupt changes: theory and application, 1993.]]

Digital Library

[5]

{5} EGAN, J. Signal Detection Theory and ROC Analysis. Academic Press, 1975.]]

[6]

{6} GUNNAR, A., JOHANSSON, M., AND TELKAMP, T. Traffic matrix estimation on a large ip backbone - a comparison on real data. In ACM IMC (Oct. 2004).]]

Digital Library

[7]

{7} HAWKINS, D. M., QQUI, P., AND KANG, C. W. The changepoint model for statistical process control. Journal of Quality Technology 35, 4 (october 2003).]]

[8]

{8} HUSSAIN, A. Measurement and Spectral Analysis of Denial of Service Attacks. PhD thesis, USC, May 2005.]]

Digital Library

[9]

{9} JUNG, J., KRISHNAMURTHY, B., AND RABINOVICH, M. Flash crowds and denial of service attacks: Characterization and implications for cdns and web sites. In ACM WWW Conference (May 2002).]]

Digital Library

[10]

{10} KAILATH, T., SAYED, A. H., HASSIBI, B., SAYED, A. H., AND HASSIBI, B. Linear Estimation. Prentice Hall, 2000.]]

[11]

{11} LAKHINA, A., CROVELLA, M., AND DIOT., C. Characterization of network-wide anomalies in traffic flows. In ACM IMC (2004).]]

Digital Library

[12]

{12} LAKHINA, A., CROVELLA, M., AND DIOT., C. Diagnosing network-wide traffic anomalies. In ACM Sigcomm (2004).]]

Digital Library

[13]

{13} LAKHINA, A., PAPAGIANNAKI, K., CROVELLA, M., DIOT, C., KOLACZYK, E., AND TAFT, N. Structural analysis of network traffic flows. In ACM Sigmetrics (2004).]]

Digital Library

[14]

{14} MALLAT, S. A Wavelet Tour of Signal Processing. Academic Press, 1999.]]

Digital Library

[15]

{15} MIRKOVIC, J., AND REIHER, P. A taxonomy of ddos attack and ddos defense mechanisms. In ACM CCR (April 2004).]]

Digital Library

[16]

{16} MOORE, D., VOELKER, G. M., AND SAVAGE, S. Inferring internet Denial-of-Service activity. In Proceedings of the 10th USENIX Security Symposium (2001), pp. 9-22.]]

Digital Library

[17]

{17} SOMMERS, J., YEGNESWARAN, V., AND BARFORD, P. A framework for malicious workload generation. In IMC (New York, NY, USA, 2004), ACM Press, pp. 82-87.]]

Digital Library

[18]

{18} SOULE, A., LAKHINA, A., TAFT, N., PAPAGIANNAKI, K., SALAMATIAN, K., NUCCI, A., CROVELLA, M., AND DIOT, C. Traffic matrices: Balancing measurements, inference and modeling. In ACM Sigmetrics (2005), ACM Press.]]

Digital Library

[19]

{19} SOULE, A., NUCCI, A., CRUZ, R., LEONARDI, E., AND TAFT, N. How to identify and estimate the largest traffic matrix elements in a dynamic environment. In ACM Sigmetrics (New York, 2004).]]

Digital Library

[20]

{20} SOULE, A., SALAMATIAN, K., AND TAFT, N. Traffic matrix tracking using kalman filters. ACM LSNI Workshop (2005).]]

Digital Library

[21]

{21} TEIXEIRA, R., DUFFIELD, N., REXFORD, J., AND ROUGHAN, M. Traffic matrix reloaded: Impact of routing changes. In PAM (2005).]]

Digital Library

[22]

{22} ZHANG, Y., ROUGHAN, M., DUFFIELD, N., AND GREENBERG, A. Fast accurate computation of large-scale ip traffic matrices from link loads. In ACM Sigmretrics (2003), ACM Press, pp. 206-217.]]

Digital Library

[23]

{23} ZHANG, Y., ROUGHAN, M., LUND, C., AND DONOHO, D. An information-theoretic approach to traffic matrix estimation. In ACM Sigcomm (2003), ACM Press, pp. 301-312.]]

Digital Library

[24]

{24} ZWEIG, M. H., AND CAMPBELL, G. Receiver-operating characteristic (roc) plots: a fundamental evaluation tool in clinical medicine. In Clinical Chemistry (1993), vol. 93(4).]]

Cited By

Valiveti SManglani ADesai T(2021)Anomaly-Based Intrusion Detection Systems for Mobile Ad Hoc NetworksInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.202107010212:2(11-32)Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.4018/IJSSSP.2021070102
Ban YHe JGupta RLiu YShah MRajan STang JPrakash B(2020)Generic Outlier Detection in Multi-Armed BanditProceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining10.1145/3394486.3403134(913-923)Online publication date: 23-Aug-2020
https://dl.acm.org/doi/10.1145/3394486.3403134
Paudel SSmith PZseby T(2018)Stealthy Attacks on Smart Grid PMU State EstimationProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230868(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3230868
Show More Cited By

Index Terms

Combining filtering and statistical methods for anomaly detection

Recommendations

A Class of Non-statistical Traffic Anomaly Detection in Complex Network Systems
ICDCSW '12: Proceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops

Recently Network traffic anomaly detection has become a popular research tendency, as it can detect new attack types in real time. The real-time network traffic anomaly detection is still an unsolved problem of network security. The network traffic ...
Parametric methods for anomaly detection in aggregate traffic

This paper develops parametric methods to detect network anomalies using only aggregate traffic statistics, in contrast to other works requiring flow separation, even when the anomaly is a small fraction of the total traffic. By adopting simple ...
Novel Methods for Anomaly Detection

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '05: Proceedings of the 5th ACM SIGCOMM conference on Internet measurement

October 2005

389 pages

Sponsors

SIGCOMM: ACM Special Interest Group on Data Communication

Publisher

USENIX Association

United States

Publication History

Published: 19 October 2005

Check for updates

Qualifiers

Article

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Upcoming Conference

IMC '24

Sponsor:
sigcomm
sigcomm

ACM Internet Measurement Conference

November 4 - 6, 2024

Madrid , AA , Spain

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

60
Total Citations
View Citations
1,331
Total Downloads

Downloads (Last 12 months)4
Downloads (Last 6 weeks)0

Reflects downloads up to 26 Jul 2024

Other Metrics

View Author Metrics

Citations

Cited By

Valiveti SManglani ADesai T(2021)Anomaly-Based Intrusion Detection Systems for Mobile Ad Hoc NetworksInternational Journal of Systems and Software Security and Protection10.4018/IJSSSP.202107010212:2(11-32)Online publication date: 1-Jul-2021
https://dl.acm.org/doi/10.4018/IJSSSP.2021070102
Ban YHe JGupta RLiu YShah MRajan STang JPrakash B(2020)Generic Outlier Detection in Multi-Armed BanditProceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining10.1145/3394486.3403134(913-923)Online publication date: 23-Aug-2020
https://dl.acm.org/doi/10.1145/3394486.3403134
Paudel SSmith PZseby T(2018)Stealthy Attacks on Smart Grid PMU State EstimationProceedings of the 13th International Conference on Availability, Reliability and Security10.1145/3230833.3230868(1-10)Online publication date: 27-Aug-2018
https://dl.acm.org/doi/10.1145/3230833.3230868
Wright JDarer AFarnan OAkkermans HFontaine KVermeulen IHouben GWeber M(2018)On Identifying Anomalies in Tor Usage with Applications in Detecting Internet CensorshipProceedings of the 10th ACM Conference on Web Science10.1145/3201064.3201093(87-96)Online publication date: 15-May-2018
https://dl.acm.org/doi/10.1145/3201064.3201093
Xie KLi XWang XXie GWen JZhang D(2018)Graph based Tensor Recovery for Accurate Internet Anomaly DetectionIEEE INFOCOM 2018 - IEEE Conference on Computer Communications10.1109/INFOCOM.2018.8486332(1502-1510)Online publication date: 16-Apr-2018
https://dl.acm.org/doi/10.1109/INFOCOM.2018.8486332
Wu HWang Z(2018)Multi-source fusion-based security detection method for heterogeneous networksComputers and Security10.1016/j.cose.2018.01.00374:C(55-70)Online publication date: 1-May-2018
https://dl.acm.org/doi/10.1016/j.cose.2018.01.003
Lazaris APrasanna VSharma PHwang J(2017)DeepFlowProceedings of the 2nd Workshop on Cloud-Assisted Networking10.1145/3155921.3155922(43-48)Online publication date: 11-Dec-2017
https://dl.acm.org/doi/10.1145/3155921.3155922
Casale GDiao YLutfiyya HOwezarski PRaz D(2016)Guest Editors’ IntroductionIEEE Transactions on Network and Service Management10.1109/TNSM.2016.259950913:3(578-580)Online publication date: 1-Sep-2016
https://dl.acm.org/doi/10.1109/TNSM.2016.2599509
Kasai HKellerer WKleinsteuber M(2016)Network Volume Anomaly Detection and Identification in Large-Scale Networks Based on Online Time-Structured Traffic Tensor TrackingIEEE Transactions on Network and Service Management10.1109/TNSM.2016.259878813:3(636-650)Online publication date: 1-Sep-2016
https://dl.acm.org/doi/10.1109/TNSM.2016.2598788
Liu DZhao YXu HSun YPei DLuo JJing XFeng MCho KFukuda KPai VSpring N(2015)OpprenticeProceedings of the 2015 Internet Measurement Conference10.1145/2815675.2815679(211-224)Online publication date: 28-Oct-2015
https://dl.acm.org/doi/10.1145/2815675.2815679
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents