Lu Guang,Yu Fei,Guangxue Yue,Miaoliang Zhu

DOI: https://doi.org/10.1109/imsccs.2006.287

2006-01-01

Abstract:The research community is interested in finding effective methods to detect network traffic anomalies such as the propagation of a new worm, and to raise alarm in time. In this paper we research the principle that the number of network traffic can affect self-similarity of network traffics, and analyze the variety of self-similarity caused by abnormal network traffic. We propose a network traffic model on normal behaviors of users. An approach, which is applied to determine whether or not abnormal network traffic exists by comparing Hurst parameter with predefined threshold, is also presented. At last, implementation of network worm detecting agent in NP is described. Results of evaluation show that detecting agent performs very well in test-bed.

Bing Wu,Xiaochun Yun,Haiyong Chen

DOI: https://doi.org/10.3321/j.issn:1002-0470.2007.10.004

2007-01-01

Abstract:This paper builds a statistics-based network traffic model by analyzing the size of network traffic and the shape of the traffic curve. It also presents an algorithm to calculate the network traffic curve under normal condition. Automatic detection of anomaly network traffic is realized by calculating the difference between the normal network traffic curve and the abnormal one. Experiments show that the simulation results are in good agreement with the real network traffic and the model can, to some extent, detect anomaly traffic.

XIAO Zheng-hong,PAN Mei-sen,YIN Hao

DOI: https://doi.org/10.3969/j.issn.1001-3695.2007.02.099

2007-01-01

Abstract:Network traffic is one of the key properties in LAN as well as WAN,by wavelet analysis,the complex traffic times series can be decomposed into different frequent components.Based on wavelet decomposed,the self-similar of traffic can be used to detect anomaly behavior of network,a method of detecting attacks based on the deviation of Hurst parameter is presented.The changes of Hurst parameter are analyzed and compared in different time scale.Result shows the proposed approach can detect the possible presence of not only an anomaly,but also its location on data set.

Dingde Jiang,Zhengzheng Xu,Peng Zhang,Ting Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.09.014

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic anomalies contain existing abnormal changes in network traffic, which are derived from malicious and anomalous behaviors of users or network devices, such as network faults, abuses, network attacks, etc. These anomalies often damage our operation networks and even lead to network disruptions. In the present paper, we propose a novel method for detecting traffic anomalies in a network by exacting and capturing their features in the transform domain. Here, we take in consideration network topology information and network-wide traffic jointly. We find that anomalous network-wide traffic usually exhibits distinct high-frequency nature. This motivates us to utilize transform domain analysis theory to characterize network-wide traffic to identify its abnormal components. Besides, we group all origin-destination flows in the network in accordance with common destination nodes. By combining network topology information and transform-domain analysis in the given time window, the specious traffic components can be found and identified. Simulation results show that our detection algorithm exhibits a fairly robust detection ability and provides the better detection performance than previous algorithms. (c) 2013 Elsevier Ltd. All rights reserved.

Ying-Wu ZHU,Jia-Hai YANG,Jin-Xiang ZHANG

DOI: https://doi.org/10.3724/SP.J.1001.2010.03698

2010-01-01

Ruan Jian Xue Bao/Journal of Software

Abstract:Due to the fact that the nature of network traffic is not fully and understood, large-scale, high-speed network traffic anomaly detection in an idea is a difficult problem to solve. According to the analysis of the network traffic structure and traffic information structure, it is found that in a certain range, the IP address and port distributions exhibit heavy tail and self-similar characteristics. The normal network traffic has a relatively stable structure. This structure corresponds to a more stable value of information entropy. Abnormal traffic and sample traffic of information entropy fluctuates by using the normal traffic as the center, and forms the structure of spatial information of IP, port, and IP number of active dimensions. Based on this discovery, the paper proposes a novel traffic classification algorithm, based on support vector machine (SVM) method, that transforms the traffic anomaly detection issue to a SVM-based classification decision issue. The experimental results not only evaluate its accuracy and efficiency, but also show its ability to detect on sampled traffic, which is very important for the traffic data reduction and efficient anomaly detection of high speed networks. © by Institute of Software, the Chinese Academy of Sciences.

Li Zonglin,Hu Guangmin,Yao Xingmiao

DOI: https://doi.org/10.1109/iscc.2009.5202265

2009-01-01

Abstract:Some network anomalous events caused by same reason (e.g., DDoS, link failure) tend to present similar unusual change on multiple traffic observations, and this part of traffic usually exhibits anomalous features either on time or frequency domain. Motivated by this fact, this paper introduces a multidimensional traffic anomaly detection method based on independent component analysis (ICA). Considering traffic observation as a mixture of normal and anomaly that respectively generated by different reasons, we generalize ICA technology of blind sources separation problem to separate the potentially anomalous part from characteristics of individual traffic signal on time and frequent domain. We show that how principle component analysis is combined with sliding window analysis, to measure the degree of similarity among multiple abnormal parts with fine granularity. The evaluation using Abilene trace shows that our method is useful to detect anomalous traffic with small volume, and performs better than previous method.

Ting Chen,Yue Wu

DOI: https://doi.org/10.4028/www.scientific.net/amr.846-847.1072

2013-01-01

Advanced Materials Research

Abstract:An abnormal traffic detection method via statistical model is proposed in this paper. At first, a new feature of normal traffic that it represents significant one-order dependency is discovered. In other words, normal traffic is obviously positive correlative. But the feature rarely appears in abnormal traffic. Based on one-order dependency, an entropy-rate model which is highly relevant to Markov model is then introduced by this paper to detect abnormal traffic. The proposed method is independent of signature so that it is able to detection both known and unknown abnormal traffic. At last, contrast experiment shows that the proposed method outperforms current methods in terms of false positives and false negatives.

Dingde Jiang,Yang Han,Xingwei Wang,Zhengzheng Xu

2010-01-01

Abstract:Traffic anomalies are abnormal changes in network traffic. There are many causes of resulting in traffic anomaly changes, including network fault, abuse, network attack and so on. This paper proposes a novel method for detecting traffic anomalies in a network. Firstly, all Origin-Destination (OD) flows in the network are grouped with accordance with common destination nodes. We then make time-frequency analysis for each group and extract their high frequency component. Based on the extracted high frequency signal, correlation coefficients of each OD flow against the other in a group are computed. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and promising.

Dingde Jiang,Cheng Yao,Zhengzheng Xu,Wenda Qin

DOI: https://doi.org/10.1002/ett.2619

IF: 3.6

2013-01-01

Transactions on Emerging Telecommunications Technologies

Abstract:Abnormal network traffic has an important impact on network activities and leads to the severe damage to our networks because they are usually related with network faults and network attacks. How to detect effectively network traffic anomalies is an open issue for network researchers. This paper proposes a novel method for detecting traffic anomalies in high‐speed backbone networks, based on multi‐scale analysis. Firstly, the continuous wavelet transforms are performed for network traffic in multiple continuous scales. We then use the principal component analysis for the continuous wavelet transforms in the different scales and extract the nature of the anomalous network traffic. And the new mapping function is constructed to detect the abnormal traffic. Finally, we use the traffic data from the real network to validate our method. Simulation results show that our approach is more promising than the previous method.Copyright © 2013 John Wiley & Sons, Ltd.

Huang Kai,Zhengwei Qi,Liu Bo

DOI: https://doi.org/10.1109/WAINA.2009.58

2009-01-01

Abstract:Network always suffers from the traffic anomaly such as router rate change, device restart or the worm attack. The early detection of unusual anomaly in the network is a key to fast recover and avoidance of future serious problem to provide a stable network transmission. In this paper we present a statistical approach to analysis the distribution of network traffic to identify the normal network traffic behavior. We adapt the EM algorism to estimate the distribution parameter of Gaussian mixture distribution model. If only there is a statistical signature of unusual fluctuation or change in the network traffic an alarm will be triggered. We adapt the time series analysis of the statistical analysis result. Up bound and low bound will be defined through the analysis. The exceeding of the bound will be the signal of traffic anomaly. Another time series analysis approach also can reflect the fluctuation of network with the crossover of two indicator lines called K line and D line. These two indicator lines are some think like the mean value of the historical data in a time slice with one more sensitive to the change of the new coming data and another not. The approach three-MACD indicator approach is like the K D approach but more blunt to the unusual fluctuation of network traffic which can submit an alarm more correctly.

Dingde Jiang,Peng Zhang,Zhengzheng Xu,Cheng Yao,Wenda Qin

DOI: https://doi.org/10.1109/CIS.2011.222

2011-01-01

Abstract:Anomaly traffic often breaks out without any omen and brings a breakdown to networks in a short time, and thus the adaptive detection of anomalies in network traffic is an important and challenging task. In this paper, we propose a wavelet-based adaptive approach to detect anomalies in network traffic. We can use wavelet packet transform and continuous wavelet transform to perform the adaptive detect anomaly. First, wavelet packet transform is exploited to extract the anomaly characteristics on the different scales. Then continue wavelet transform is exploited to obtain the further anomaly information about network traffic. Simulation results show that our method is effective and feasible.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

ding de jiang,cheng yao,zheng zheng xu,peng zhang,zhen yuan,wen da qin

DOI: https://doi.org/10.4028/www.scientific.net/AMM.130-134.2098

2012-01-01

Applied Mechanics and Materials

Abstract:Anomalous traffic often has a significant impact on network activities and lead to the severe damage to our networks because they usually are involved with network faults and network attacks. How to detect effectively network traffic anomalies is a challenge for network operators and researchers. This paper proposes a novel method for detecting traffic anomalies in a network, based on continuous wavelet transform. Firstly, continuous wavelet transforms are performed for network traffic in several scales. We then use multi-scale analysis theory to extract traffic characteristics. And these characteristics in different scales are further analyzed and an appropriate detection threshold can be obtained. Consequently, we can make the exact anomaly detection. Simulation results show that our approach is effective and feasible.

Bin Zhang,Jia-Hai Yang,Jian-Ping Wu,Ying-Wu Zhu

DOI: https://doi.org/10.1007/s11390-012-1225-0

2012-01-01

Abstract:Network traffic anomalies are unusual changes in a network, so diagnosing anomalies is important for network management. Feature-based anomaly detection models (ab)normal network traffic behavior by analyzing packet header features. PCA-subspace method (Principal Component Analysis) has been verified as an efficient feature-based way in network-wide anomaly detection. Despite the powerful ability of PCA-subspace method for network-wide traffic detection, it cannot be effectively used for detection on a single link. In this paper, different from most works focusing on detection on flow-level traffic, based on observations of six traffic features for packet-level traffic, we propose a new approach B6-SVM to detect anomalies for packet-level traffic on a single link. The basic idea of B6-SVM is to diagnose anomalies in a multi-dimensional view of traffic features using Support Vector Machine (SVM). Through two-phase classification, B6-SVM can detect anomalies with high detection rate and low false alarm rate. The test results demonstrate the effectiveness and potential of our technique in diagnosing anomalies. Further, compared to previous feature-based anomaly detection approaches, B6-SVM provides a framework to automatically identify possible anomalous types. The framework of B6-SVM is generic and therefore, we expect the derived insights will be helpful for similar future research efforts.

Zhengyi Zhou,Philipp Meerkamp,Chris Volinsky

DOI: https://doi.org/10.48550/arXiv.1610.00579

2016-09-30

Abstract:Detecting and quantifying anomalies in urban traffic is critical for real-time alerting or re-routing in the short run and urban planning in the long run. We describe a two-step framework that achieves these two goals in a robust, fast, online, and unsupervised manner. First, we adapt stable principal component pursuit to detect anomalies for each road segment. This allows us to pinpoint traffic anomalies early and precisely in space. Then we group the road-level anomalies across time and space into meaningful anomaly events using a simple graph expansion procedure. These events can be easily clustered, visualized, and analyzed by urban planners. We demonstrate the effectiveness of our system using 7 weeks of anonymized and aggregated cellular location data in Dallas-Fort Worth. We suggest potential opportunities for urban planners and policy makers to use our methodology to make informed changes. These applications include real-time re-routing of traffic in response to abnormally high traffic, or identifying candidates for high-impact infrastructure projects.

Machine Learning

Jiayi Ni,Wei Chen,Jiacheng Tong,Haiyong Wang,Lifa Wu

DOI: https://doi.org/10.1016/j.jisa.2023.103575

IF: 4.96

2023-08-14

Journal of Information Security and Applications

Abstract:Anomaly detection methods based on machine learning assist in identifying attacker behavior concealed in critical infrastructure's high-speed network traffic. However, these methods generally experience problems including a lack of labeled data and poor performance. We suggest a detection method based on staged frequency domain features to address these issues. A small-step sliding window is used in the training phase to fully understand the frequency domain features of the traffic. We suggest SOM-Kmeans, an integrated clustering technique that can accurately distinguish between malicious and benign flows. We evaluate the SOM-Kmeans accuracy using open datasets and assess its effectiveness in a real network environment. The experimental results demonstrate that our method can detect anomaly traffic at high speed without sacrificing detection accuracy.

computer science, information systems

Li Zonglin,Hu Guangmin,Yao Xingmiao,Yang Dan

DOI: https://doi.org/10.1155/2009/752818

2008-01-01

EURASIP Journal on Advances in Signal Processing

Abstract:Distributed network traffic anomaly refers to a traffic abnormal behavior involving many links of a network and caused by the same source (e.g., DDoS attack, worm propagation). The anomaly transiting in a single link might be unnoticeable and hard to detect, while the anomalous aggregation from many links can be prevailing, and does more harm to the networks. Aiming at the similar features of distributed traffic anomaly on many links, this paper proposes a network-wide detection method by performing anomalous correlation analysis of traffic signals' instantaneous parameters. In our method, traffic signals' instantaneous parameters are firstly computed, and their network-wide anomalous space is then extracted via traffic prediction. Finally, an anomaly is detected by a global correlation coefficient of anomalous space. Our evaluation using Abilene traffic traces demonstrates the excellent performance of this approach for distributed traffic anomaly detection.

jing yuan,ruixi yuan,xi chen

DOI: https://doi.org/10.15837/ijccc.2014.1.870

IF: 2.635

2014-01-01

International Journal of Computers Communications & Control

Abstract:This paper proposes a novel detection engine, called the Wavelet-Recurrence-Clustering (WRC) detection model, to study the network anomaly detection problem that is widely attractive in Internet security area. The WRC model first applies the wavelet transform and recurrence analysis to calculate the multi-scale dynamic characteristics of network traffic, and then identifies network anomalies through the clustering algorithm with those dynamic characteristics. The evaluation results on DARPA 1999 dataset indicate that the WRC detection model can effectively improve the detection accuracy with a low false alarm

Xinggan Peng,Yuxuan Lin,Qi Cao,Yigang Cen,Huiping Zhuang,Zhiping Lin

DOI: https://doi.org/10.1109/itsc55140.2022.9922142

2022-01-01

Abstract:Multivariate time series traffic dataset is usually large with multiple feature dimensions for long time duration under certain time intervals or sampling rates. In applications such as intelligent transportation systems, some machine learning methods being applied to traffic anomaly detections are computed under certain assumptions and require further improvements. Transport traffic time series data may also suffer from unbalanced number of training data where large amount of labelled training data available for a few popular classes, but with very small amount of labelled data for corner cases. In this paper, based on the recent long sequences prediction method Informer, an anomaly detection algorithm with an anomaly score generator is proposed that does not require any assumptions of data. The encoder-decoder architecture is adopted in the anomaly score generator. The encoder consists of three stacking ProbSparse self-attention mechanisms that significantly reduce computing complexity. The decoder incorporates two multi-head attention layers and a fully connected layer to obtain an output of anomaly scores. Then a One-Class Support Vector Machines (OCSVM) is applied to be the anomaly classifier. The proposed algorithm is capable of detecting anomalies for both vehicle traffic flows and pedestrian flows. It has been verified by applying to a real-world dataset consisting of traffic flows recorded in 2021, as well as to a public anomaly detection dataset.

Su Yang,Wenbin Zhou

DOI: https://doi.org/10.1109/PASSAT/SocialCom.2011.10

2011-01-01

Abstract:Some special natural and social events like natural disasters, terrorism attacks, and traffic accidents may have remarkable effect on people's collective behaviors, which means the behaviors of a large number of people viewed as a whole. Analysis of the patterns of collective behaviors in the sense of data mining is an important topic. Solving this problem is crucial and practical in that online detection of abnormal patterns of people's collective behaviors may lead to rapid response to emergent affairs. In terms of technology, the task can be regarded as detection of abnormal particle movement patterns from a global point of view. In this study, we propose a solution to solve this problem. First, the traffic flows observed by more than 4000 sensors are organized as high-dimensional time series. Second, a widely used manifold learning technique referred to as locally linear embedding (LLE) is used to compute the K coefficients in fitting every data point with its K nearest neighbors in the high-dimensional space, which can be regarded as a K-dimensional local feature associated with every data point. Then, the local features of the data points within a time window are summarized by using principal component analysis (PCA) to obtain a global feature to represent the traffic data in every time window. Finally, outlier detection is performed on such PCALLE feature space. The experimental results show that the proposed method can effectively detect abnormal traffic patterns, which correspond with some special days, like the New Year day, the national day of America, and some days with extreme weather. © 2011 IEEE.