微信服务号

微信订阅号

2025-4-9- 10
Home > Archive>Volume 21, Issue 10, 2010 >2573-2583
PDF HTML XML Export Cite reminder
Anomaly Detection Based on Traffic Information Structure
Author:
Affiliation:

  • Article
    • | |
  • Metrics
    • |
  • Reference [13]
    • |
  • Related [20]
    • |
  • Cited by [4]
    • | |
  • Comments
    Abstract:

    Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks.

    Reference
    [1] Lakhina A, Crovella M, Diot C. Mining anomalies using traffic feature distributions. In: Proc. of the 2005 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications. Pennsylvania, 2005. 217?228.
    [2] Cheng G, Gong J, Ding W. A real-time anomaly detection model based on sampling measurement in a high-speed network. Journal of Software, 2003,14(3):594?599 (in Chinese with English abstract). http://www.jos.org.cn/1000-9825/14/594.htm
    [3] Brauckhoff D, Tellenbach B, Wagner A, May M, Lakhina A. Impact of packet sampling on anomaly detection metrics. In: Proc. of the 6th ACM SIGCOMM Conf. on Internet Measurement. Rio de Janeriro, 2006. 159?164.
    [4] Mai JN, Chuah CN, Sridharan A, Ye T, Zang H. Is sampled data sufficient for anomaly detection? In: Proc. of the 6th ACM SIGCOMM Conf. on Internet Measurement. Rio de Janeriro, 2006. 165?176.
    [5] Ahmed T, Coates M, Lakhina A. Multivariate online anomaly detection using kernel recursive least squares. In: Proc. of the INFOCOM, the 26th IEEE Int’l Conf. on Computer Communications. Anchorage, 2007. 625?633.
    [6] Lakhina A, Crovella M, Diot C. Detecting distributed attacks using network-wide flow traffic. In: Proc. of the FloCon 2005, Analysis Workshop. 2005. http://www.cert.org/flocon/2005/presentations
    [7] Chhabra P, Scott C, Kolaczyk ED, Crovella M. Distributed spatial anomaly detection. In: Proc. of the INFOCOM 2008, the 27th Conf. on Computer Communications. Phoenix, 2008. 1705?1713.
    [8] Lakhina A, Crovella M, Diot C. Characterization of network-wide anomalies in traffic flows. In: Proc. of the 4th ACM SIGCOMM Conf. on Internet Measurement. Taormina, 2004. 201?206.
    [9] Lakhina A, Crovella M, Diot C. Diagnosing network-wide traffic anomalies. In: Proc. of the 2004 Conf. on Applications, Technologies, Architectures, and Protocols for Computer Communications. Oregon, 2004. 219?230.
    [10] Karagiannis T, Papagiannaki K, Faloutsos M. BLINC: Multilevel traffic classification in the dark. ACM SIGCOMM Computer Communication Review, 2005,35(4):229?240.
    [11] Lakhina A, Papagiannaki K, Crovella M, Diot M, Kolaczyk M, Taft N. Structural analysis of network traffic flows. In: Proc. of the Joint Int’l Conf. on Measurement and Modeling of Computer Systems. New York, 2004. 61?72.
    [12] Li YQ,Yang JH, An CQ, Zhang H. Finding hierarchical heavy hitters in network measurement system. In: Proc. of the 22nd Annual ACM Symp. on Applied Computing. Seoul, 2007. 232?236.
    附中文参考文献: [2] 程光,龚俭,丁伟.基于抽样测量的高速网络实时异常检测模型.软件学报,2003,14(3):594?599. http://www.jos.org.cn/1000-9825/ 14/594.htm
    Comments
    Comments
    分享到微博
    Submit
Get Citation

朱应武,杨家海,张金祥.基于流量信息结构的异常检测.软件学报,2010,21(10):2573-2583

Copy
Share
Article Metrics
  • Abstract:10842
  • PDF: 7702
  • HTML: 0
  • Cited by: 0
History
  • Received:March 30,2009
  • Revised:July 09,2009
Links:Institute of Software, CASChina Computer FederationCASNSFC
You are the first2034065Visitors
Copyright: Institute of Software, Chinese Academy of Sciences Beijing ICP No. 05046678-4
Address:4# South Fourth Street, Zhong Guan Cun, Beijing 100190,Postal Code:100190
Phone:010-62562563 Fax:010-62562533 Email:jos@iscas.ac.cn
Technical Support:Beijing Qinyun Technology Development Co., Ltd.

Beijing Public Network Security No. 11040202500063