Shenglong Liu,Yuxiao Xia,Di Wang

DOI: https://doi.org/10.1109/access.2024.3376413

IF: 3.9

2024-03-27

IEEE Access

Abstract:In the era of mobile big data, smart mobile devices have become an integral part of our daily life, which brings many benefits to the digital society. However, their popularity and relatively lax security make them vulnerable to various cyber threats. Traditional network traffic analysis techniques utilizing pattern matching and regular expressions matching algorithms are becoming insufficient for mobile big data. Network traffic anomaly detection is an effective method to replace traditional methods. Network traffic anomaly detection can solve many new challenges brought by future network and protect the security of network. In this article, we propose a streaming network framework for mobile big data, referred to as SNMDF, which provides massive data traffic collection, processing, analysis, and updating functions, to cope with the tremendous amount of data traffic. In particular, by analyzing the specific characteristics of anomaly traffic data from flow and user behavior, our proposed SNMDF demonstrates its capability to offer real data-based advice to address new challenges for future wireless networks from the viewpoints of operators. Tested by real mobile big data, SNMDF has proven its efficiency and reliability. Furthermore, SNMDF is accessed for the digital twin of the space Internet, which validates that it can be generalized to other environments with massive data traffic or big data.

computer science, information systems,telecommunications,engineering, electrical & electronic

Laisen Nie,Yongkang Li,Xiangjie Kong

DOI: https://doi.org/10.1109/access.2018.2854842

IF: 3.9

2018-01-01

IEEE Access

Abstract:Over the last decade, vehicular ad-hoc networks (VANETs) have received a greater attention in academia and industry due to their influence in intelligent transportation systems. Providing reliability and security to the VANET is essential in order to guarantee the efficiency of its applications. Anomaly detection has become a challenging problem due to the unique environment of VANETs with quick movement and short-lived link. In this paper, a method using the spatio-temporal feature of network traffic is proposed to implement network traffic estimation at first, and on this basis, an anomaly detection algorithm is put forward. The convolutional neural network is employed to extract the spatio-temporal features of the traffic matrix. In terms of the extracted features, network traffic is estimated by using a fully connected architecture as the output layer. Then, a threshold-based separation method is used to implement anomaly detection. The preliminary experiments comparing the proposed method with other machine learning-based methods show the effectiveness of the proposed anomaly detection method.

Yangrui HU,Xingshu CHEN,Junfeng WANG,Xiaoming YE

DOI: https://doi.org/10.3969/j.issn.1671-1122.2016.11.008

2016-01-01

Abstract:Real network environment lack of labeled data set, so traditional anomaly traffic detection method based on labeled data set is unsuitable for actual large-scale network. To resolve this, the paper proposes an improved k-means anomaly traffic detection method for unlabeled data sets. Firstly, collect the Sichuan University network outlet lfow and store in the distributed ifle system;secondly, construct user behavior feature set on the basis of network lfow analysis, and extract relevant characteristics by Spark big data processing platform. Referenced principles of group to define the normal behavior of clusters in the actual flow, construct normal flow behavior model on improved K-means++cosine clustering method;Finally, the cosine distance between the normal behavior model and user actual flow behavior is calculated to detected anomaly flow behavior. The feasibility and validity of the method are verified by attacking experiment. The experimental results show that the normal lfow behavior model for anomaly lfow detection has higher accuracy.

Wei Xiong,Hanping Hu,Naixue Xiong,Laurence T. Yang,Wen-Chih Peng,Xiaofei Wang,Yanzhen Qu

DOI: https://doi.org/10.1016/j.ins.2013.04.009

IF: 8.1

2013-01-01

Information Sciences

Abstract:Cloud computing represents a new paradigm where computing resources are offered as services in the world via communication Internet. As many new types of attacks are arising at a high frequency, the cloud computing services are exposed to an increasing amount of security threats. To reduce security risks, two approaches of the network traffic anomaly detection in cloud communications have been presented, which analyze dynamic characteristics of the network traffic based on the synergetic neural networks and the catastrophe theory. In the former approach, a synergetic dynamic equation with a group of the order parameters is used to describe the complex behaviors of the network traffic system in cloud communications. When this equation is evolved, only the order parameter determined by the primary factors can converge to 1. Then, the anomaly can be detected. In the latter approach, a catastrophe potential function is introduced to describe the catastrophe dynamic process of the network traffic in cloud communications. When anomalies occur, the state of the network traffic will deviate from the normal one. To assess the deviation, an index named as catastrophe distance is defined. The network traffic anomaly can be detected by the value of this index. We evaluate the performance of these two approaches using the standard Defense Advanced Research Projects Agency data sets. Experimental results show that our approaches can effectively detect the network traffic anomaly and achieve the high detection probability and the low false alarms rate.

Bing Li,Shengjie Zhao,Rongqing Zhang,Qingjiang Shi,Kai Yang

DOI: https://doi.org/10.1049/iet-com.2019.0765

IF: 1.345

2019-01-01

IET Communications

Abstract:Broadband connectivity and mobile technology have been widely applied in the world. With these advanced technologies, the proliferation of smart devices and their applications by accessing mobile internet have come up with a giant leap forward, leading to the ever-increasing scale and complexity of cellular networks. This presents imminent challenges to anomaly detection in cellular networks. In this study, the authors discuss challenges and current literature of anomaly detection for cellular networks to embrace the 'big data' era. First, they review the state-of-the-art techniques in the area of anomaly detection in cellular networks. Then, the challenges are pinpointed for anomaly detection due to the cellular network big data. Finally, they introduce a big data analytic-based anomaly detection method for cellular networks.

Qiqi Zhu,Li Sun

DOI: https://doi.org/10.1109/access.2020.2973214

IF: 3.9

2020-01-01

IEEE Access

Abstract:Anomaly detection for large scale cellular networks can be used by network operators to optimize network performance and enhance mobile user experience. This paper aims at detecting user anomalies from spatio-temporal cell phone activity data. We design an approach combining time series analysis and machine learning to extract the traffic patterns of areal units. This approach can cluster areal units with similar traffic patterns and segment a city into distinct groups. Then, in grouped-areas, we use a clustering technique to detect anomalous behaviors of the cellular network and verify the accuracy of the results using ground truth information collected from online sources. The results indicate that anomalies are associated with abruptly high or unexpected traffic demand at a specific location and time. In addition, we obtain anomaly-free data by removing anomalous data and train a decomposed traffic prediction model. It is observed that the prediction model trained with anomaly-free data can achieve lower normalized mean square error (NMSE), i.e., higher prediction accuracy, than the model trained with anomalous data.

FuCheng Pan,DeZhi Han,Yuping Hu

DOI: https://doi.org/10.1504/IJES.2019.102428

2019-11-25

International Journal of Embedded Systems

Abstract:In order to realise the rapid analysis and identification of abnormal traffic in real-time networks, a distributed real-time network abnormal traffic detection system (DRNATDS) was designed, which could effectively analyse abnormal network traffic. DRNATDS provided effective real-time big data analysis platform and guaranteed network security. The paper proposes K-means algorithm based on relative density and distance, integrated with Spark Streaming and Kafka. It could effectively detect various network attacks under real-time data stream. The experimental results show that DRNATDS has good high availability and stability. Compared to other algorithms, K-means algorithm based on relative density and distance could more effectively identify abnormal network traffic and improve the recognition rate.

English Else

Xiaolong Liang

DOI: https://doi.org/10.1109/netcit54147.2021.00053

2021-12-01

Abstract:With the rapid development of network communication technology, the continuous deepening of Internet application and the increasing enrichment of information, the Internet has become an important infrastructure of human society. With the development of network technology and the increasing complexity of network topology, the supervision of network is facing great challenges. Among them, network traffic anomaly detection is one of the important tasks in network supervision. It is an indispensable technical means in network intrusion detection, security monitoring, operation and maintenance. Network security has become a problem faced by people. Anomaly detection is valued by people in academia and industry because it can detect unknown attacks. Researchers have proposed a large number of anomaly detection methods and systems. However, with the continuous growth of network bandwidth and the continuous progress of network attack and defense game, the network itself is in the process of dynamic evolution, and the means and methods of network attack are also evolving, resulting in the improvement of detection accuracy and accuracy of anomaly detection system Operational efficiency, security and ease of use are facing severe challenges. It is of great significance to propose anomaly detection methods with high detection accuracy and high operation efficiency and optimize existing detection algorithms. It is also a cutting-edge scientific problem of common concern in the field of global network security in academia and industry. Based on the prediction model and classifier, this paper proposes a real-time online anomaly detection method for network traffic, and systematically implements this method.

Fan-Bo MENG,Nan JIANG,Bo LIU,Ran LI,Fei XIA

DOI: https://doi.org/10.12783/dtetr/ssme-ist2016/4030

2016-01-01

DEStech Transactions on Engineering and Technology Research

Abstract:With the advance of new network technologies, new types of applications are quickly arising. Network traffic exponentially is rising. Accordingly, this results in new challenges for network traffic anomaly detections. This paper proposes a new quick detection approach to network traffic anomalies. Firstly, network traffic is regarded as a time series of signals and is constructed into a matrix. Secondly, the principal component decomposition is performed for the matrix. The network traffic is divided into principal and non-principal components. Thirdly, the empirical mode decomposition is carried out for these two components. In this case, a quick anomaly detection algorithm is presented. Simulation results show that our approach is feasible and promising.

Dingde Jiang,Cheng Yao,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1002/ett.2619

IF: 3.6

2013-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abnormal network traffic has an important impact on network activities and leads to the severe damage to our networks because they are usually related with network faults and network attacks. How to detect effectively network traffic anomalies is an open issue for network researchers. This paper proposes a novel method for detecting traffic anomalies in high‐speed backbone networks, based on multi‐scale analysis. Firstly, the continuous wavelet transforms are performed for network traffic in multiple continuous scales. We then use the principal component analysis for the continuous wavelet transforms in the different scales and extract the nature of the anomalous network traffic. And the new mapping function is constructed to detect the abnormal traffic. Finally, we use the traffic data from the real network to validate our method. Simulation results show that our approach is more promising than the previous method.Copyright © 2013 John Wiley & Sons, Ltd.

Yang Li,Wenguang Huang,Xiaohua Tian

DOI: https://doi.org/10.1109/wcsp.2018.8555611

2018-01-01

Abstract:In recent years, emerging smartphones have proliferated fast growth of Over The Top (OTT) services and rapid expansion of mobile networks. However, the underlying network structure is trouble-prone due to massive integrated Internet Service Providers (ISP). Traditional approaches to maintain the network performance cannot satisfy requirements under such a large-scale network. As a result, a low cost and highly efficient anomaly detection mechanism is still unavailable.In this paper we propose a data mining framework to extract network anomalies from crowdsourced network measuring dataset. We first explore the crowdsourced dataset by feature engineering and instance clustering. On the basis of the preprocessed dataset, we propose weighted-apriori rule mining to find out the association between high RTTs and other features thus localizing the network anomaly. We conduct extensive experiments based on a large-scale crowdsourced network dataset with five million samples. The dataset involves round trip time (RTT) information from 6226 kinds of applications and more than 5000 users. Experiments show that our approaches can effectively detect anomalous network conditions.

ZHENG Jun,HU Ming-zeng,YUN Xiao-chun,ZHENG Zhong

DOI: https://doi.org/10.3321/j.issn:1000-436x.2006.02.001

2006-01-01

Abstract:The anomaly detection algorithms of the large scale network(LSN) were required to analysis the vast network traffic of G bit level in real-time and on-the-fly.A novel monitoring mechanism of LSN anomaly detection based on the data stream approach was proposed.The main contributions included: the sketch data structure and the frequent sketch algorithm of data streams were designed for anomaly detection of LSN.Optimized query methods were designed for customizing the security monitoring and detection policy with the correlations of multi data streams.The data reduction was proposed to make it possible that the whole network traffic character could be got using a few of special data streams.The experiments of the real networking environments validate the effectivity of LSN anomaly detection methods.

Kashif Sultan,Hazrat Ali,Zhongshan Zhang

DOI: https://doi.org/10.1109/access.2018.2859756

IF: 3.9

2018-01-01

IEEE Access

Abstract:Mobile networks possess information about the users as well as the network. Such information is useful for making the network end-to-end visible and intelligent. Big data analytics can efficiently analyze user and network information, unearth meaningful insights with the help of machine learning tools. Utilizing big data analytics and machine learning, this paper contributes in three ways. First, we utilize the call detail records data to detect anomalies in the network. For authentication and verification of anomalies, we use k-means clustering, an unsupervised machine learning algorithm. Through effective detection of anomalies, we can proceed to suitable design for resource distribution as well as fault detection and avoidance. Second, we prepare anomaly free data by removing anomalous activities and train a neural network model. By passing the anomaly and anomaly free data through this model, we observe the effect of anomalous activities in training of the model and also observe mean square error of the anomaly and anomaly free data. At last, we use an autoregressive integrated moving average model to predict future traffic for a user. Through simple visualization, we show that the anomaly free data better generalizes the learning models and performs better on prediction task.

Jia-Qi Wei,Qian-Li Zhang,Xing Li

DOI: https://doi.org/10.1109/iccwamtip.2016.8079795

2016-01-01

Abstract:With the increasing scale and complexity of the network, how to maintain a level of network performance and robustness for network operators to satisfy customers becomes more and more challenging. Network anomaly detection and localization are critical for ensuring network performance. In this paper, a novel framework for detecting and localizing network anomalies using active measurements is presented. The framework is composed of three steps: the first step is to detect network anomalies on network path under monitoring, the second step is to cluster destination IPs on the monitored path using unsupervised learning methods, the last step is to localize network anomalies that induce anomalous network performance and behaviors. The last step is designed to reveal the possible cause for each IP set clustered in the second step and localize root cause at every moment by analyzing the inclusion relation between detected anomalous destination IPs and clustered IP sets. The efficacy of the framework to diagnose network anomalies is demonstrated by several real-world cases, which have been recorded in three years of network monitoring experience.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Xiao-Dong Zang,Jian Gong,Xiao-Yan Hu

DOI: https://doi.org/10.1109/access.2019.2914303

IF: 3.9

2019-01-01

IEEE Access

Abstract:Anomaly detection is the first step with a challenging task of securing a communication network, as the anomalies may indicate suspicious behaviors, attacks, network malfunctions, or failures. In this paper, we address the problem of not only detecting different anomalies, such as volume based (e.g., DDoS or Flash crowd) and spatial based (e.g., network scan), that arise simultaneously in the wild but also of attributing the anomalous point to a single-anomaly event causing it. Besides, we also tackle the problem of low-detection accuracy caused by the phenomenon of traffic drift. To this end, a novel adaptive profile-based anomaly detection scheme is proposed. More specifically, a more comprehensive metrics set is defined from the dimensions of temporal, spatial, category, and intensity to compose IP traffic behavior characteristic spectrum for fine-grained traffic characterization. Then, the digital signature matrix obtained by using the ant colony optimization (ACO) algorithm is applied to construct the baseline profile of the normal traffic behavior. Anomalous points are identified and analyzed by using confidence bands and a generic clustering technique, respectively. Finally, a lightweight updating strategy is applied to reduce the number of false positives. Real-world data of China Education Research Network backbone and synthetic data are collected to verify our proposal. The experimental results demonstrate that our approach provides a fine-grained behavior description ability and has significantly increased the detection accuracy compared with other similar alternatives.

Mohammad Rasoul Tanhatalab,Hossein Yousefi,Hesam Mohammad Hosseini,Mostafa Mofarah Bonab,Vahid Fakharian,Hadis Abarghouei

DOI: https://doi.org/10.1109/sami48414.2020.9108742

2020-01-01

Abstract:In this paper, we propose a novel algorithm to detect anomaly in terms of Key Parameter Indicators (KPI)s over live cellular networks based on the combination of Recurrent Neural Networks (RNN), and Convolutional Neural Networks (CNN), as Recurrent Convolutional Neural Networks (R-CNN). CNN models the spatial correlations and information, whereas, RNN models the temporal correlations and information. Hence, adopting R-CNN provides us with spatial-temporal analysis. In this paper, the studied cellular network consists of 2G, 3G, 4G, and 4. 5G technologies, and the KPIs include Voice and data traffic of the cells. The data and voice traffics are extremely important for the owner of wireless networks, because it is directly related to the revenue, and quality of service that users experience. These traffic changes happen due to a couple of reasons: the subscriber behavior changes due to especial events, making neighbor sites on-air or down, or by shifting the traffic to the other technologies, e.g. shifting the traffic from 3G to 4G. Traditionally, in order to keep the network stable, the traffic should be observed layer by layer during each interval to detect major changes in KPIs, in large scale telecommunication networks it will be too time-consuming with the low accuracy of anomaly detection. However, the proposed algorithm is capable of detecting the abnormal KPIs for each element of the network in a time-efficient and accurate manner. It observes the traffic layer trends, and classifies them into 8 traffic categories: Normal, Suddenly Increasing, Gradually Increasing, Suddenly Decreasing, Gradually Decreasing, Faulty Site, New Site, and Down Site. This classification task enables the vendors and operators to detect anomalies in their live networks in order to keep the KPIs in normal trend. The algorithm is trained and tested on the real dataset over a cellular network with more than 25000 thousand.

Li Zonglin,Hu Guangmin,Yao Xingmiao,Yang Dan

DOI: https://doi.org/10.1155/2009/752818

2008-01-01

EURASIP Journal on Advances in Signal Processing

Abstract:Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

Zhengmin Xia,Songnian Lu,Jianhua Li,Jin Ma

DOI: https://doi.org/10.1007/978-3-642-05250-7_41

2009-01-01

Abstract:Abnormal traffic detection is a difficult problem in network management and network security. This paper proposes an abnormal traffic detection method based on a continuous LoSS (loss of self-similarity) through comparing the difference of Hurst parameter distribution under the network normal and abnormal traffic time series conditions. Due to the needs of fast and high accuracy for abnormal traffic detection, the on-line version of the Abry-Veitch wavelet-based estimator of the Hurst parameter in large time-scale is proposed, and the detection threshold could self-adjusted according to the extent of network traffic self-similarity under normal conditions. This work also investigates the effect of the parameters adjustment on the performance of abnormal traffic detection. The test results on data set from Lincoln lab of MIT demonstrate that the new abnormal traffic detection method has the characteristics of dynamic self-adaptive and higher detection rate, and can be implemented in a real-time way.