FENG Zhen,HU Guang-ming,YAO Xing-miao,ZHOU Ying-jie

DOI: https://doi.org/10.3969/j.issn.2095-6835.2010.24.038

2010-01-01

Abstract:Anomaly detection in backbone network faces two problems:anomaly traffic is relatively small and real-time detection is difficult to implement.Aiming at these two difficulties,this paper proposed a detection method of traffic anomaly based on multi-flows and multi-parameters.Our method classified network traffic into several sub-flows which are closely related to network anomaly,extracted a variety of traffic features and packets features,and then detected traffic anomaly through multi-flows and multi-parameters.The detection results in Internet2's real data show that the proposed method can effectively detect flood attacks and port scans,these results almost equal to the results of the offline analysis.

Renjie Zhou,Xiao Wang,Jingjing Yang,Wei Zhang,Sanyuan Zhang

DOI: https://doi.org/10.1155/2021/5560185

IF: 1.968

2021-01-01

Security and Communication Networks

Abstract:The prosperity of mobile networks and social networks brings revolutionary conveniences to our daily lives. However, due to the complexity and fragility of the network environment, network attacks are becoming more and more serious. Characterization of network traffic is commonly used to model and detect network anomalies and finally to raise the cybersecurity awareness capability of network administrators. As a tool to characterize system running status, entropy-based time-series complexity measurement methods such as Multiscale Entropy (MSE), Composite Multiscale Entropy (CMSE), and Fuzzy Approximate Entropy (FuzzyEn) have been widely used in anomaly detection. However, the existing methods calculate the distance between vectors solely using the two most different elements of the two vectors. Furthermore, the similarity of vectors is calculated using the Heaviside function, which has a problem of bouncing between 0 and 1. The Euclidean Distance-Based Multiscale Fuzzy Entropy (EDM-Fuzzy) algorithm was proposed to avoid the two disadvantages and to measure entropy values of system signals more precisely, accurately, and stably. In this paper, the EDM-Fuzzy is applied to analyze the characteristics of abnormal network traffic such as botnet network traffic and Distributed Denial of Service (DDoS) attack traffic. The experimental analysis shows that the EDM-Fuzzy entropy technology is able to characterize the differences between normal traffic and abnormal traffic. The EDM-Fuzzy entropy characteristics of ARP traffic discovered in this paper can be used to detect various types of network traffic anomalies including botnet and DDoS attacks.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

颜若愚,郑庆华

2010-01-01

Abstract:A traffic anomaly detection and classification method based on cross entropy is proposed to identify network attack behaviors accurately.Both features of traffic flow header and traffic behavior are used to characterize three types of common attacks,such as DoS attacks,port scans and network scans.The cross entropy is used to measure traffic distribution changes for each traffic feature,and a behavior vector for each attack type is built.Then exponentially weighted moving average control chart method is applied to multiple cross entropy indicators for anomaly detection,and an anomaly vector is generated.The similarity between the anomaly vector and each behavior vector is computed to classify attacks.Experimental results and comparisons with the Shannon entropy measurement on Netflow traffic in a router show that under relatively weaker attacks,the true positive rate,average precision and accuracy of the cross entropy measurement in attack classification rise by 13%,15%,and 13%,respectively.

Dingde Jiang,Cheng Yao,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1002/ett.2619

IF: 3.6

2013-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abnormal network traffic has an important impact on network activities and leads to the severe damage to our networks because they are usually related with network faults and network attacks. How to detect effectively network traffic anomalies is an open issue for network researchers. This paper proposes a novel method for detecting traffic anomalies in high‐speed backbone networks, based on multi‐scale analysis. Firstly, the continuous wavelet transforms are performed for network traffic in multiple continuous scales. We then use the principal component analysis for the continuous wavelet transforms in the different scales and extract the nature of the anomalous network traffic. And the new mapping function is constructed to detect the abnormal traffic. Finally, we use the traffic data from the real network to validate our method. Simulation results show that our approach is more promising than the previous method.Copyright © 2013 John Wiley & Sons, Ltd.

Tingting Huang,Chao Liu,Anuj Sharma,Soumik Sarkar

DOI: https://doi.org/10.36001/ijphm.2018.v9i1.2671

2020-01-01

International Journal of Prognostics and Health Management

Abstract:Traffic dynamics in the urban interstate system are critical in terms of highway safety and mobility. This paper proposes a systematic data mining technique to detect traffic system-level anomalies in a batch-processing fashion. Built on the concepts of symbolic dynamics, a spatiotemporal pattern network (STPN) architecture is developed to capture the system characteristics. This novel spatiotemporal graphical modeling approach is shown to be able to extract salient time series features and discover spatial and temporal patterns for a traffic system. An information-theoretic metric is used to quantify the causal relationships between sub-systems. By comparing the structural similarity of the information-theoretic metrics of the STPNs learnt from each day, a day with anomalous system characteristics can be identified. A case study is conducted on an urban interstate in Iowa, USA, with 11 roadside radar sensors collecting 20-second resolution speed and volume data. After applying the proposed methods on one-month data (Feb. 2017), several system-level anomalies are detected. The potential causes that include inclement weather condition and non-recurring congestion are also verified to demonstrate the efficacies of the proposed technique. Compared to the traditional predefined performance measures for the traffic systems, the proposed framework has advantages in capturing spatiotemporal features in a fast and scalable manner.

Hua Peng,Liang Liu,Jiayong Liu,Johnwb R. Lewis

DOI: https://doi.org/10.3233/jifs-179072

2019-01-01

Journal of Intelligent & Fuzzy Systems

Abstract:Now, the classifier network anomaly traffic detection method is generally considered to be a general method of good detection effect and high detection precision. In order to detect abnormal network traffic more efficiently, so as to ensure the security of Internet users, a network traffic anomaly detection algorithm based on Mahout Classifier is studied. Aiming at the problem of time correlation and the influence of abnormal samples on accuracy of detection statistics, and the first detection point is eliminated and the applicable detection point is added. The BP neural network algorithm and Bayesian network model are used to predict the abnormal probability of the anomaly node, the detection precision is optimized, and the exception points of the training set are reorganized. In view of the anomalies detected by anomaly detection models, an emergency response method is proposed, which not only detects anomalies, but also handles anomalies.

Hong Wang,Zhenghu Gong,Qing Guan,Baosheng Wang

DOI: https://doi.org/10.1109/icn.2008.83

2008-01-01

Abstract:Anomalies generate vast amounts of bogus traffic, which can overwhelm the network and any attached hosts. Identifying Traffic anomalies rapidly and accurately is critical to network stability and usefulness. Most papers focus on analyzing the volume of data or packets on the network. However, legitimate network traffic may be bursty or highly variable, rendering such naive approaches ineffective[7]. We propose a novel method called MultiA to solve this problem. Rather than just looking at volumes of packets, MultiA intelligently adopted Multistage Filter and information entropy take into account the behavior of the network. The MultiA is scalable, automated and self-training. We find this technique effectively identifies network traffic anomalies while avoiding the high false alarms rate.

Yan Ruo-Yu,Zheng Qing-Hua

DOI: https://doi.org/10.1109/isda.2008.167

2008-01-01

Abstract:The idea of using entropy measurement to detect anomalies or analyze traffic characteristics has been floating around the research community for some time. But all these entropy-based approaches are single-scale based "complexity" methods and fail to account for the multiple time scales inherent in time series. In order to fulfill this goal we have introduced Renyi entropy based method: multi-scale entropy (MSE). In this paper, a kind of port-to-port traffic in router is presented, which we call IF-flow. IF-flows can amplify the ratio of attack traffic to normal traffic. We apply MSE to the analysis of IF-flow time series in time scales, and find some interesting results. One of results supports a general view that flow count metric has a more powerful ability to detect many types of anomalies than byte and packet count metric. We also use MSE to detect anomaly existed in IF-flow time series. The experimental results indicate MSE can detect anomaly accurately.

Min Li,Shunzheng Yu,Li He

DOI: https://doi.org/10.1109/npc.2008.89

2008-01-01

Abstract:In contrast to many techniques exploiting temporal patterns of traffic from a single network element, network-wide traffic analysis mainly focuses on the spatial behavior across the whole network. This paper proposes a spatial hidden Markov model (SHMM) to learn the normal patterns of network-wide traffic. Combined with topology information, SHMM models traffic volumes on links as probabilistic outputs of underlying interactions between routers. Based on a trained SHMM, a nonparametric CUSUM algorithm is used to track the change of entropy of observation sequences in different sliding windows for anomaly detection. Background traffic collected from real network and synthetic anomalies are used for validation of the detection method. The results prove our method effective for network-wide traffic anomaly detection.

Yating Liu,Yuantao Gu,Xinyue Shen,Qingmin Liao,Quan Yu

DOI: https://doi.org/10.1109/tnse.2022.3206353

IF: 6.6

2023-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Anomaly detection is a crucial topic in network security which refers to automatically mining known and unknown attacks or threats. Many detectors have been proposed in the last decade. Nonetheless, a practical solution, which is able to provide a high True Positive Rate (TPR) with an acceptable False Positive Rate (FPR) without any prior information, is still challenging due to the complexity and variability of anomaly pattern. In this article, we propose a novel unsupervised detection system called MSCA which applies multiple sketches, K-means++ unsupervised clustering, and association rule mining to detect traffic anomalies and analyze anomalous features and correlations. It can blindly identify known and unknown traffic anomalies without any labeled traffic or prior signatures about data distribution. Rich traffic data is first aggregated and compacted to traffic flows by sketches, and further detected by the combination of clustering algorithm and voting strategy. Then association rule mining is finally utilized to find the anomalous frequent item-sets and association rules. Numerical experiments on MAWILAB datasets demonstrate that the proposed detection method outperforms other reference unsupervised detection methods. It achieves an accuracy of 99.86%, 99.97%, 97.08%, and 95.19% in overall four detection types including IP and port of source and destination.

Bin Zhang,Jiahai Yang,Jianping Wu,Ziyu Wang

DOI: https://doi.org/10.1093/comjnl/bxr134

2013-01-01

Abstract:In this paper, we present a statistical analysis of six traffic features based on entropy and distinct feature number at the packet level, and we find that, although these traffic features are unstable and show seasonal patterns like traffic volume for a long period, they are stable and consistent with Gaussian distribution in a short time period. However, this equilibrium property will be violated by some anomalies. Based on this observation, we propose a Multi-dimensional Clustering method for Short-time scale Traffic(MCST) to classify abnormal and normal traffic. We compare our new method to the well known wavelet technique. The detection result on synthetic anomaly traffic shows MCST can better detect the low-rate attacks than wavelet-based method, and detection result on real traffic demonstrates that MCST can detect more anomalies with low false alarm rate.

Dingde Jiang,Yang Han,Xingwei Wang,Zhengzheng Xu

2010-01-01

Abstract:Traffic anomalies are abnormal changes in network traffic. There are many causes of resulting in traffic anomaly changes, including network fault, abuse, network attack and so on. This paper proposes a novel method for detecting traffic anomalies in a network. Firstly, all Origin-Destination (OD) flows in the network are grouped with accordance with common destination nodes. We then make time-frequency analysis for each group and extract their high frequency component. Based on the extracted high frequency signal, correlation coefficients of each OD flow against the other in a group are computed. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and promising.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Bin Zhang,Jia-Hai Yang,Jian-Ping Wu,Ying-Wu Zhu

DOI: https://doi.org/10.1007/s11390-012-1225-0

2012-01-01

Abstract:Network traffic anomalies are unusual changes in a network, so diagnosing anomalies is important for network management. Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing packet header features. PCA-subspace method (Principal Component Analysis) has been verified as an efficient feature-based way in network-wide anomaly detection. Despite the powerful ability of PCA-subspace method for network-wide traffic detection, it cannot be effectively used for detection on a single link. In this paper, different from most works focusing on detection on flow-level traffic, based on observations of six traffic features for packet-level traffic, we propose a new approach B6-SVM to detect anomalies for packet-level traffic on a single link. The basic idea of B6-SVM is to diagnose anomalies in a multi-dimensional view of traffic features using Support Vector Machine (SVM). Through two-phase classification, B6-SVM can detect anomalies with high detection rate and low false alarm rate. The test results demonstrate the effectiveness and potential of our technique in diagnosing anomalies. Further, compared to previous feature-based anomaly detection approaches, B6-SVM provides a framework to automatically identify possible anomalous types. The framework of B6-SVM is generic and therefore, we expect the derived insights will be helpful for similar future research efforts.

Yongwei Meng,Tao Qin,Shancang Li,Pinghui Wang

DOI: https://doi.org/10.1155/2022/9139321

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:Accurately detecting and identifying abnormal behaviors on the Internet are a challenging task. In this work, an anomaly detection scheme is proposed that employs the behavior attribute matrix and adjacency matrix to characterize user behavior patterns. Then, anomaly detection is conducted by analyzing the residual matrix. By analyzing network traffic and anomaly characteristics, we construct the behavior attribute matrix, which incorporates seven features that characterize user behavior patterns. To include the effects of network environment, we employ the similarity between IP addresses to form the adjacency matrix. Further, we employ CUR matrix decomposition to mine the changing trends of the matrices and obtain the residual pattern characteristics that are used to detect anomalies. To validate the effectiveness and accuracy of the proposed scheme, two datasets are used: (1) the public MAWI dataset, collected from the WIDE backbone network, which is used to validate accuracy; (2) the campus network dataset, collected from the northwest center of Chinese Education and Research Network (CERNET), which is used to verify practicability. The experimental results demonstrate that the proposed scheme can not only accurately detect and identify abnormal behaviors but also trace the source of anomalies.

WANG Feng-yu,YUN Xiao-chun,CAO Zhen-zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2007.12.010

2007-01-01

Journal of Communications

Abstract:To detect anomaly timely and precisely in high-speed network,an algorithm,named DA-MTS(detecting anomaly on multi-time-scale synchronously),was proposed.Firstly,pre-process the time series of traffic with non-decimated Haar wavelet transform to produce detail signals,which approximately follow Gaussian white noise.Then detect anomaly based on "3σ" principal of normal distribution.Analysis and experiments reveal that this algorithm can detect anomaly on several time-scales recursively without delay,so it can detect anomaly precisely and timely.