Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

WANG Feng-yu,YUN Xiao-chun,CAO Zhen-zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.010

2007-01-01

Journal of Communications

Abstract:To detect anomaly timely and precisely in high-speed network,an algorithm,named DA-MTS(detecting anomaly on multi-time-scale synchronously),was proposed.Firstly,pre-process the time series of traffic with non-decimated Haar wavelet transform to produce detail signals,which approximately follow Gaussian white noise.Then detect anomaly based on "3σ" principal of normal distribution.Analysis and experiments reveal that this algorithm can detect anomaly on several time-scales recursively without delay,so it can detect anomaly precisely and timely.

Qinpei Zhao,Yinjia Zhang,Yang Shi,Jiangfeng Li

DOI: https://doi.org/10.1007/978-3-030-19861-9_2

2019-01-01

Abstract:The traffic among the hosts and behaviors of the anomalous hosts in the network is usually complex. In network traffic, there is a key problem that is how to identify the security incidents. The corresponding question that who have contributed to the incidents is arisen then. A method, which detects both anomalies and events at the same time is quite helpful. A data from network traffic can be composed of the hosts and different attributes (traffic flow like amount of upload package and download package) in time series. Based on the structure of the network traffic data, we propose an anomaly and event detection method based on the network attributes in time series. The method analyzes both the host’s behavior and the temporal features of the network traffic.

Dingde Jiang,Yang Han,Xingwei Wang,Zhengzheng Xu

2010-01-01

Abstract:Traffic anomalies are abnormal changes in network traffic. There are many causes of resulting in traffic anomaly changes, including network fault, abuse, network attack and so on. This paper proposes a novel method for detecting traffic anomalies in a network. Firstly, all Origin-Destination (OD) flows in the network are grouped with accordance with common destination nodes. We then make time-frequency analysis for each group and extract their high frequency component. Based on the extracted high frequency signal, correlation coefficients of each OD flow against the other in a group are computed. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and promising.

Zheng-mao ZHUANG,Xing-shu CHEN,Guo-lin SHAO,Xiao-ming YE

DOI: https://doi.org/10.6040/j.issn.1671-9352.1.2016.030

2017-01-01

Abstract:Server behavior characteristics in a time of dynamic correlation characteristics of a clustering method based on the distribution ratio, clustering and density deviation combined to construct a temporal correlation server traffic anomaly detection model. Through the campus network server traffic and long-term observation study found that server traffic characteristics and dynamic correlation time, based on this condition, this article extract the feature server traffic flow at the present time and combines the features of the current moment of time associated with dynamic, using K-means clustering algorithm to detect the outliers of the flow characteristics, and find abnormal server traffic. Experimental results show that the model can effectively detect abnormal server traffic even in the real-world environment. The longer the model applies, the stronger adaptable the algorithm is.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Ding De Jiang,Cheng Yao,Wei Han Zhang,Zheng

DOI: https://doi.org/10.4028/www.scientific.net/amr.765-767.1461

2013-01-01

Advanced Materials Research

Abstract:This paper presents a detection algorithm for anomaly network traffic, which is based on spectral kurtosis analysis. Firstly, we turn network traffic into time-frequency signals at different scales. These time-frequency signals hold the more detailed nature corresponding to different scales. Secondly, the time-frequency signals at different scales are transformed into a series of new time signals by time-frequency analysis theory. These new time signals hold obvious narrowband nature and embody the local properties of network traffic. Thirdly, we calculate the spectral kurtosis values of the new time signals and then perform the feature extractions. As a result, the abnormal network traffic can be correctly identified. Simulation results show that our algorithm is feasible and promising.

Fan-Bo MENG,Nan JIANG,Bo LIU,Ran LI,Fei XIA

DOI: https://doi.org/10.12783/dtetr/ssme-ist2016/4030

2016-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:With the advance of new network technologies, new types of applications are quickly arising. Network traffic exponentially is rising. Accordingly, this results in new challenges for network traffic anomaly detections. This paper proposes a new quick detection approach to network traffic anomalies. Firstly, network traffic is regarded as a time series of signals and is constructed into a matrix. Secondly, the principal component decomposition is performed for the matrix. The network traffic is divided into principal and non-principal components. Thirdly, the empirical mode decomposition is carried out for these two components. In this case, a quick anomaly detection algorithm is presented. Simulation results show that our approach is feasible and promising.

Dongpo Wang,Chengli Zhao,Xue Zhang,Boyu Liu,Xiang Li,Dongyun Yi

DOI: https://doi.org/10.1088/1742-6596/1693/1/012050

2020-01-01

Journal of Physics Conference Series

Abstract:With the increasing network threat, network anomaly detection has become a very challenging and indispensable task. In this article, we propose an anomaly detection algorithm through modeling computer network as temporal network. The active subnetwork is extracted from the original computer communication network and then projected to an undirected weighted network series, finally the abnormal behavior patterns of network series are detected based on eigenvectors. Data test experiment shows that the proposed algorithm has achieved very good results.

Yingjie Zhou,Guangmin Hu,Weisong He

DOI: https://doi.org/10.1109/icccas.2009.5250514

2009-01-01

Abstract:Comprehensive collection and accurate description of traffic information are core problems in network traffic anomaly detection. Aiming at the lack of traffic anomaly detection in analyzing multi-time series, we propose a network traffic anomaly detection method based on graph mining. Our method accurately and completely describes the relationships among multi-time series which are used in traffic anomaly detection by time-series graph; by means of the support count of the patterns, our method mines all the frequent patterns,which is conducive to detecting many kinds of abnormal traffic effectively; through mining the relationships among all itemsets, our method introduces weight coefficients of the itemsets, which is able to solve relationship quantification issues of multi-time series in traffic anomaly detection. The simulation results show that the proposed method can effectively detect the network traffic anomaly and achieve a higher accuracy than the CWT-based (Continuous Wavelet Transform-based) method in term of DDos attacks detection.

Li Zonglin,Hu Guangmin,Yao Xingmiao,Yang Dan

DOI: https://doi.org/10.1155/2009/752818

2008-01-01

EURASIP Journal on Advances in Signal Processing

Abstract:Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Wu Qing-tao,Shao Zhi-qing

DOI: https://doi.org/10.1007/bf02831726

2006-01-01

Abstract:Distributed Denial of Service (DDoS) attack is a major threat to the availability of Web service. The inherent presence of self-similarity in Web traffic motivates the applicability of time series analysis in the study of the burst feature of DDoS attack. This paper presents a method of detecting DDoS attacks against Web server by analyzing the abrupt change of time series data obtained from Web traffic. Time series data are specified in reference sliding window and test sliding window, and the abrupt change is modeled using Auto-Regressive (AR) process. By comparing two adjacent non-overlapping windows of the time series, the attack traffic could be detected at a time point. Combined with alarm correlation and location correlation, not only the presence of DDoS attack, but also its occurring time and location can be determined. The experimental results in a test environment are illustrated to justify our method.

ZENG Guo-jian,LU Shi-wen,WANG Wei-dong

DOI: https://doi.org/10.3778/j.issn.1002-8331.2008.07.044

2008-01-01

Abstract:An approach,using Netflow technology,to model service traffic and anomaly detection on IP backbone in the perspective of periodic traffic feature is proposed.This method avoids the difficulty to model the uncertainty and nonlinear facts in traffic data and provides more accurate information than the thresholds-based detection method.

Zonglin Li,Guangmin Hu,Ruqiang Zhou

DOI: https://doi.org/10.1142/9789812799524_0363

2008-01-01

Abstract:Traffic modeling as one of the ways to describe the normal behavior of network traffic is used to detect anomaly. Due to the self-similar model and multi-fractal model are inherently unable to capture the nature of traffic data in all time scales, we propose a novel anomaly detection method based on IDC model analysis to describe the characteristic of traffic data more accurately. By studying the influences of anomalous traffic on the estimation of IDC model through wavelet transform modulus maxima, a cumulative deviation is defined to estimate abnormal behavior. The simulation results show that our method is more sensitive to small anomalous traffic than detection methods based on H parameter analysis, and can accurately detect the anomalies which would not cause the Hurst parameter change evidently. Therefore, it is suite for the early stage detection of anomaly traffic.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

Zheng Liming,Zou Peng,Jia Yan,Han Weihong

2012-01-01

China Communications

Abstract:Detecting traffic anomalies is essential. for diagnosing attacks. High-Speed Backbone Networks (HSBN) require Traffic Anomaly Detection Systems (TADS) which are accurate (high detection and low false positive rates) and efficient. The proposed approach utilizes entropy as traffic distributions metric over some traffic dimensions. An efficient algorithm, having low computational and space complexity, is used to estimate entropy. Entropy values over all dimensions are collected to form a detection vector for every sliding window. One class support vector machine classifies all detection vectors into one of two groups: abnormal vectors and normal vectors. A Multi-Windows Correlation Algorithm (MWCA) calculates comprehensive anomaly scores observed in a sequence of windows in order to reduce false positive rates and obtain high detection rates. Some real-world traffic traces have been used to validate and evaluate the efficiency and accuracy of this system through three experiments. In Experiment 1, the estimating algorithm of entropy which costs less memory and runs faster than traditional algorithms is more suitable for detection anomalies. In Experiment 2, the classification and correlation algorithms can improve the detection accuracy significantly. Experiment 3 compares the subject system and three well-known systems. Ours system is the most accurate one. Those results have indicated that the proposed system significantly improves the accuracy and efficiency.

Xiejun Ni,Daojing He,Farooq Ahmad

DOI: https://doi.org/10.21015/vtse.v9i2.403

2016-01-01

VFAST Transactions on Software Engineering

Abstract:Revised July 2015 ABSTRACT. Network anomaly detection is an effective way to detect intrusions which defends our computer systems or network from attackers on the Internet. In this paper, we introduce the current research works in network anomaly detection and consider several pratical solutions for this issue. Different from signature-based method, data mining techniques can automatically extract normal pattern from a large set of network data and distinguish them from each other. However, those data mining techniques, such as classification, clustering, association rules and feature selection, can not be applied into this problem directly due to the characteristic of network data and technique themselves. We analyze those unfitness and propose some adaptation to detect anomaly timely and accurately.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

HE Wei-song,HU Guang-min

DOI: https://doi.org/10.3969/j.issn.1001-3695.2011.03.095

2011-01-01

Abstract:This paper proposed a large-scale IP network traffic feature anomaly detection method using time series data mining,analyzed the network traffic feature elements time series as a whole,obtained valid association rules of abnormal network traffic feature using multiple time series data mining,characterized the entire communication network security threats situation accurately.Experiments with Abilene network Netflow data verifies this method.