Feilong Tang,Lu Li,Leonard Barolli,Can Tang

DOI: https://doi.org/10.1109/AINA.2017.125

2017-01-01

Abstract:Software defined networking (SDN) provides flexible management for datacenter networks with the flow-level control. Such the fine-grained management, however, consumes large amount of bandwidth between data and control planes, which results in the bottleneck in the scalability of SDN-based datacenters. "The elephant and mouse phenomenon" suggests that there are only very few elephant flows that carry the majority of bytes in datacenters so that it can improve management efficiency to detect and reroute elephant flows while leaving mice flows in data plane leveraging wildcard flow table in OpenFlow. Unfortunately, existing mechanisms for elephant flow detection suffer from high bandwidth consumption and long detection time. In this paper, we propose an efficient sampling and classification approach (ESCA) with the two-phase elephant flow detection. In the first phase, ESCA improves sampling efficiency by estimating the arrival interval of elephant flows and filtering out redundant samples using a filtering flow table. In the second phase, ESCA classifies samples with a new supervised classification algorithm based on correlation among data flows. The mathematical analysis proofs our ESCA outperforms related schemes. Extensive experiment results on real public datacenter traces further demonstrate that our ESCA can provide accurate detection with less sampled packets and shorter detection time.

Changyu Wang,Xiaohong Guan,Tao Qin,Pinghui Wang,Jing Tao,Yongwei Meng,Jingyuan Liu

DOI: https://doi.org/10.1016/j.knosys.2020.106192

IF: 8.139

2020-01-01

Knowledge-Based Systems

Abstract:Previous machine learning-based network traffic classification approaches hold the assumption that training and testing network environment are of the same. This assumption is invalid in most real cases due to the changes in traffic features and leads to the train-test gap issue: the model trained in the training environment performs poorly in the testing environment. In this paper, to address the gap, we propose CSA: a traffic classification approach based on packet-wise segmentation and aggregation. Firstly, we observe that some specific fragments of network flows - subflows - are robust against the gap. Therefore, we are motivated to segment the traffic flows into different subflows. Afterward, with the justification of our feature selection, 26 statistical features are extracted from each subflow and input into its corresponding sub-classifier. Secondly, with the results from sub-classifiers, we develop an aggregation method based on their classification accuracy to increase the overall classification performance. We experiment on five real datasets, including three collected from the Northwest Center of CERNET (China Education and Research Network) and two from public traces. By comparing with state-of-the-art baselines, the experiment results demonstrate the effectiveness of our CSA against the gap. (C) 2020 Published by Elsevier B.V.

Ziyu Wang,Jiahai Yang,Fuliang Li

DOI: https://doi.org/10.1007/978-3-319-23802-9_10

2014-01-01

Abstract:Network anomalies have been a serious challenge for the Internet nowadays. In this paper, two new metrics, IGTE (Inter-group Traffic Entropy) and IGFE (Inter-group Flow Entropy), are proposed for network anomaly detection. It is observed that IGTE and IGFE are highly correlated and usually change synchronously when no anomaly occurs. However, once anomalies occur, this highly linear correlation would be destroyed. Based on this observation, we propose a linear regression model built upon IGTE and IGFE, to detect the network anomalies. We use both CERNET2 netflow data and synthetic data to validate the regression model and its corresponding detection method. The results show that the regression-based method works well and outperforms the well known wavelet-based detection method.

Lixia Liu,Hong Mei,Bing Xie

2013-01-01

Abstract:With the rapid growth of the categories and numbers of network attacks and the increasing network bandwidth, network traffic anomaly detection systems confront with both higher false positive rate and false negative rate. A traffic anomaly detection system with high precision is presented in this paper. First, we use multi-level and multi-dimensional online OLAP method to analyze traffic data. In order to reduce the computational and space complexity in this analytical process, some optimization strategies are applied in building DetectCube, the minimal directed Steiner tree algorithm is adapted to optimize multiple query on the Cube, and the traffic data is summarized at appropriate level with the help of discovery-driven exploration method. Second, a concept of entropy to measure the distribution of traffic on some particular dimensions is given and the values of entropy in every window and every Group-By operation are collected to form multiple time series of entropy. Finally, we employ one-class support vector machine to classify this multidimensional time series of entropy to achieve the purpose of anomaly detection. The proposed traffic anomaly detection system is validated and evaluated by comparing it with existed systems derived from a lot of real network traffic data sets. Our system can detect attacks with high accuracy and efficiency.

Chonghua Wang,Hao Zhou,Zhiqiang Hao,Shu Hu,Jun Li,Xueying Zhang,Bo Jiang,Xuehong Chen

DOI: https://doi.org/10.1016/j.comnet.2022.108760

IF: 5.493

2022-03-01

Computer Networks

Abstract:Due to the ever-growing presence of network traffic, there has been a considerable amount of research on anomaly detection in network traffic by clustering. Most of them have not considered the problem that collective anomaly detection in network traffic. Collective anomaly might scatter among multiple clusters when applying the clustering-based algorithms in the anomaly detection. In this paper, we propose a progressive exploration framework for collective anomaly detection on network traffic based on a clustering method, called CCAD. CCAD enables analysts to effectively explore collective anomaly in network traffic. This framework is different from the other anomaly detection methods. It is based on the analysis of the influence of collective anomaly on the clustering results in the network traffic stream data. CCAD framework efficiently supports the collective anomaly exploration. As demonstrated by our extensive experiments with real-world data, CCAD has high detection rate in comparison with other existing methods.

computer science, information systems,telecommunications,engineering, electrical & electronic, hardware & architecture

Geng Tian,Zhiliang Wang,Xia Yin,Zimu Li,Xingang Shi,Ziyi Lu,Chao Zhou,Yang Yu,Dan Wu

DOI: https://doi.org/10.1007/978-3-319-28865-9_10

2015-01-01

Abstract:Today, various anomalies and large number of flows in a network make traffic anomaly detection a big challenge. In this paper, we propose DTE-FP (Dual qTsallis Entropy for flow Feature with Properties), a more efficient method for traffic anomaly detection. To handle huge amount of traffic, based on Hadoop, we implement a network traffic anomaly detection system named TADOOP, which supports semi-automatic training and both offline and online traffic anomaly detection. TADOOP with a cluster of five servers has been deployed in Tsinghua University Campus Network. Furthermore, we compare DTE-FP with Tsallis entropy, and the experimental results show that DTE-FP has much better detection capability than Tsallis entropy.

Yue Gu,Dan Li,Kaihui Gao,Yang Cheng

DOI: https://doi.org/10.1109/globecom46510.2021.9685631

2021-01-01

Abstract:Online traffic classification is a fundamental toolkit in network management, such as QoS and network security. The speed and generalization ability of online classification are two requirements that need to be satisfied simultaneously. However, existing methods may suffer from generalization degradation on the traffic with unseen applications which are constantly emerging in the network, due to the feature distribution drift (FDD) caused by their non-robust feature engineering approaches. Based on Deep Metric Learning which can restrict the distances between samples explicitly and clustering algorithm which can learn multiple clusters within each category, this paper presents Robot, a fast and robust online traffic classification system. At its core, Robot leverages two building blocks to classify high-speed traffic flows: 1) For fast classification, Fast model classifies traffic and detects FDD samples simultaneously based on only one packet. 2) For robust classification, once FDD samples are detected, a flow collector will be triggered to collect flows and then Robust model, a multi-center model, will further identify them based on the hybrid of packet-level and flow-level features. Our comprehensive experiments demonstrate that Robot can achieve comparative classification speed and better generalization ability on the mixed traffic datasets with seen and unseen applications (with the FDD detection accuracy of up to 85.8% and with nearly 10% improvement in classification accuracy), compared with the state-of-the-art methods.

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Min Zhu

DOI: https://doi.org/10.1016/j.jnca.2013.10.008

IF: 7.574

2014-01-01

Journal of Network and Computer Applications

Abstract:Traffic pattern characteristics monitoring is useful for abnormal behavior detection and network management. In this paper, we develop a framework for connection degree calculation and measurement in high-speed networks. The bi-directional traffic flow model is employed to aggregate traffic packets, which can reduce the number of flow records and capture user's alternation behavior characteristics. The first order connection degree and joint correlation degree are selected as the features to capture the characteristics of traffic profiles. To perform careful traffic inspection and attack detection, not only the abnormal changes of a single traffic feature but also the correlations between the features are analyzed in the new framework. First, the symmetry of in and out connection degrees is analyzed. And we found that incomplete flows are an important information source for abnormal behavior detection. Second, joint correlation degree can characterize the user's communication profiles and their behavior dynamics, which are employed to perform abnormal detection using measurements based on Renyi cross entropy. Finally, the reversible degree sketch is employed for querying abnormal traffic pattern sources for real-time traffic management. The experimental results based on actual traffic traces collected from Northwest Regional Center of CERNET (China Education and Research Network) show the efficiency of the proposed method. The method based on Renyi entropy can detect abnormal changing points correctly. FNR of the reversible sketch for locating abnormal sources is below 4% and time complexity is constant and less than 4s, which is critical for real-time traffic monitoring.

Tao Qin,Xiaohong Guan,Wei Li.,Pinghui Wang

DOI: https://doi.org/10.1109/ICCW.2008.45

2008-01-01

Abstract:Detecting and measuring the changes of temporal traffic patterns in large scale networks are crucial for effective network management. This paper presents the concept of region flow to aggregate traffic packets. Regions are defined by the IP prefix, and a region flow is a group of packets with the same source and destination region during a time interval. In this way, the number of flows can be reduced significantly and a better extraction of pivotal traffic metrics is generated. Three traffic features: source connection degree, destination connection degree and packet distribution ratio are proposed to capture the dynamic change of the flow patterns between regions and the Renyi cross entropy are applied to measure and detect the changes. The experimental results show that the method proposed in this paper can capture the dynamic traffic features effectively for 10Gbps backbone networks, and can be used for detecting abnormal network behaviors. ©2008 IEEE.

Huili Dou,Yuanyuan Liu,Sirui Chen,Hongyang Zhao,Hazrat Bilal

DOI: https://doi.org/10.1007/s00500-023-09164-y

IF: 3.732

2023-09-16

Soft Computing

Abstract:Many highways are acquiring smart transportation systems to improve traffic efficiency, safety and management. Intelligent transportation systems can monitor traffic congestion by providing estimated time of arrival or suggesting a diversion route. However, due to the chaotic complexity of the highway traffic road network and the short-term mobility of the population, traffic flow prediction is affected by many complex factors, and the development of an effective traffic flow forecasting system is very challenging. This paper establishes a novel framework to enhance the prediction of highway traffic flow based on the integration of Complementary Ensemble Empirical Mode Decomposition and Gaussian Mixture Model (CEEMD-GMM). Firstly, the complementary ensemble empirical mode decomposition is used to decompose and reduce the noise of traffic flow data. The empirical modal components are combined by calculating the sample entropy (SE), which makes the time series stable and reduces the time cost of forecasting. Secondly, the histogram of oriented gradient (HoG) is computed to extract the distinct features of various traffic flows and enhance the traffic flow prediction. Furthermore, the highway traffic data is classified using Gaussian mixture model to realize the feature extraction of different types of highway traffics. The performance of the model is evaluated in terms of mean absolute error (MAE), root mean square error (RMSE), mean absolute percent error (MAPE), and average correlation. The model is extensively verified using traffic flow data under individual weather conditions and different traffic flow datasets. Compared with the traditional support vector machine (SVM), artificial neural network (ANN), random forest (RF) and Adaboost algorithms, the proposed model shows 2.90% MAE, 6.07% RMSE, 0.38% MAPE and average correlation coefficient of 0.74 for traffic flow detection. It is concluded that the model can predict the highways traffic flow with high accuracy as compared to other contemporary models.

computer science, artificial intelligence, interdisciplinary applications

Feng Guo,Fumin Zou,Sijie Luo,Lyuchao Liao,Jinshan Wu,Xiang Yu,Cheng Zhang

DOI: https://doi.org/10.3390/electronics11131981

IF: 2.9

2022-06-24

Electronics

Abstract:As one of the largest Internet of Things systems in the world, China's expressway electronic toll collection (ETC) generates nearly one billion pieces of transaction data every day, recording the traffic trajectories of almost all vehicles on the expressway, which has great potential application value. However, there are inevitable missed transactions and false transactions in the expressway ETC system, which leads to certain false and missing rates in ETC data. In this work, a dynamic search step SegrDTW algorithm based on an improved DTW algorithm is proposed according to the characteristics of expressway ETC data with origin–destination (OD) data constraints and coupling between the gantry path and the vehicle trajectory. Through constructing the spatial window of segment retrieval, the spatial complexity of the DTW algorithm is effectively reduced, and the efficiency of the abnormal ETC data detection is greatly improved. In real traffic data experiments, the SegrDTW algorithm only needs 3.36 s to measure the abnormal events of a single set of OD path data for 10 days. Compared with the mainstream algorithms, the SegrDTW performs best. Therefore, the proposal provides a feasible method for the abnormal event detection of expressway ETC data in a province and even the whole country.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiaofei Bu,Yu-E Sun,Yang Du,Xiaocan Wu,Boyu Zhang,He Huang

DOI: https://doi.org/10.1007/s12083-020-01036-8

2021-01-11

Abstract:Detecting the flows with abnormally large spreads over big network data can help us identify network attacks, such as DDoS attacks and scanners. Most per-flow measurement studies use compact data structures to reduce their memory requirements, fitting in the limited on-chip memory and catching up with the line rate. In this paper, we study a novel problem called spread estimation among multi-periods to measure the total number of distinct elements or the number of distinct <i>k</i>-persistent elements in a flow among multiple traffic measurement periods. In our design, we use an on-chip/off-chip model to record the per-flow traffic information, which uses small on-chip memory and matches the line rate, <i>i.e.</i>, we use on-chip memory to filter out the duplicates, sample the elements, and store the sampled traffic data in off-chip memory. By performing the set operations on the sampled traffic data, we can derive the total number of distinct elements and the number of distinct <i>k</i>-persistent elements among multiple periods based on probability analysis. The experimental results on real Internet traffic traces show that, when performing spread estimation among multiple periods, our estimator is efficient in memory usage and estimation accuracy and can efficiently detect the stealthy DDoS attack and scanners.

computer science, information systems,telecommunications

Xi Jiang,Shinan Liu,Saloua Naama,Francesco Bronzino,Paul Schmitt,Nick Feamster

DOI: https://doi.org/10.48550/arXiv.2302.11718

2023-02-23

Abstract:Accurate and efficient network traffic classification is important for many network management tasks, from traffic prioritization to anomaly detection. Although classifiers using pre-computed flow statistics (e.g., packet sizes, inter-arrival times) can be efficient, they may experience lower accuracy than techniques based on raw traffic, including packet captures. Past work on representation learning-based classifiers applied to network traffic captures has shown to be more accurate, but slower and requiring considerable additional memory resources, due to the substantial costs in feature preprocessing. In this paper, we explore this trade-off and develop the Adaptive Constraint-Driven Classification (AC-DC) framework to efficiently curate a pool of classifiers with different target requirements, aiming to provide comparable classification performance to complex packet-capture classifiers while adapting to varying network traffic load. AC-DC uses an adaptive scheduler that tracks current system memory availability and incoming traffic rates to determine the optimal classifier and batch size to maximize classification performance given memory and processing constraints. Our evaluation shows that AC-DC improves classification performance by more than 100% compared to classifiers that rely on flow statistics alone; compared to the state-of-the-art packet-capture classifiers, AC-DC achieves comparable performance (less than 12.3% lower in F1-Score), but processes traffic over 150x faster.

Networking and Internet Architecture

Tao Qin,Xiaohong Guan,Wei Li,Pinghui Wang,Qiuzhen Huang

DOI: https://doi.org/10.1016/j.jnca.2011.06.006

IF: 7.574

2011-01-01

Journal of Network and Computer Applications

Abstract:The randomness in network behaviors poses serious challenges for discovering abnormal patterns in network traffic flows. This paper presents a systematic approach for monitoring abnormal network traffic. The DFlow model is proposed to reduce the flow records and extract four features to capture the traffic patterns. The blind source separation method is applied to obtain the routine and abnormal behaviors from those features. A scale space filter is applied to filter the randomness in the traffic flows without affecting the behavior patterns. A threshold is selected based on a systematic criterion to evaluate the degree of abnormality. The contributions of different traffic features to the abnormal behavior detection are analyzed. It is found that the number of connection degree is the most important feature for traffic monitoring. A salient feature of this method is that it is effective for detecting the abnormal behaviors not associated with significant changes in traffic volumes. Another advantage of the new method is that no supervised learning process is needed. This is very important since high quality labeled samples are very difficult to acquire in actual networks especially the data traces associated with attacks. The experimental results based on the actual network data show that the method presented in the paper is effective for monitoring abnormal traffic flows in the gigabytes traffic environment and the accuracy is above 95%.

Peng Zhang,Shimin Xu,Zuoru Yang,Hao Li,Qi Li,Huanzhao Wang,Chengchen Hu

DOI: https://doi.org/10.1109/icdcs.2018.00085

2018-01-01

Abstract:A crucial requirement for Software Defined Network (SDN) is that data plane forwarding behaviors should always agree with control plane policies. Such requirement cannot be met when there are forwarding anomalies, where packets deviate from the paths specified by the controller. Most anomaly detection methods for SDN install dedicated rules to collect statistics of each flow, and check whether the statistics conform to the flow conservation principle. Such per-flow detection methods have a limited detection scope: they look at one flow each time, thus can only check a limited number of flows simultaneously. In addition, dedicated rules for statistics collection can impose a large overhead on flow tables of SDN switches. To this end, this paper presents FOCES, a network-wide forwarding anomaly detection method in SDN. Different from previous methods, FOCES applies a new kind of flow conservation principle at network wide, and can check forwarding behaviors of all flows in the network simultaneously, without installing any dedicated rules. Experiments show FOCES can achieve a detection precision higher than 90% for four network topologies, even when packet loss rates are as high as 10%.

Song Hao,Wentao Fu,Xuanze Chen,Chengxiang Jin,Jiajun Zhou,Shanqing Yu,Qi Xuan

2024-09-12

Abstract:Traditional anomalous traffic detection methods are based on single-view analysis, which has obvious limitations in dealing with complex attacks and encrypted communications. In this regard, we propose a Multi-view Feature Fusion (MuFF) method for network anomaly traffic detection. MuFF models the temporal and interactive relationships of packets in network traffic based on the temporal and interactive viewpoints respectively. It learns temporal and interactive features. These features are then fused from different perspectives for anomaly traffic detection. Extensive experiments on six real traffic datasets show that MuFF has excellent performance in network anomalous traffic detection, which makes up for the shortcomings of detection under a single perspective.

Machine Learning

Yuanfang Chen,Mohsen Guizani,Yan Zhang,Lei Wang,Noel Crespi,Gyu Myoung Lee

DOI: https://doi.org/10.48550/arXiv.1709.08024

2017-09-23

Abstract:Traffic flow prediction is an important research issue for solving the traffic congestion problem in an Intelligent Transportation System (ITS). Traffic congestion is one of the most serious problems in a city, which can be predicted in advance by analyzing traffic flow patterns. Such prediction is possible by analyzing the real-time transportation data from correlative roads and vehicles. This article first gives a brief introduction to the transportation data, and surveys the state-of-the-art prediction methods. Then, we verify whether or not the prediction performance is able to be improved by fitting actual data to optimize the parameters of the prediction model which is used to predict the traffic flow. Such verification is conducted by comparing the optimized time series prediction model with the normal time series prediction model. This means that in the era of big data, accurate use of the data becomes the focus of studying the traffic flow prediction to solve the congestion problem. Finally, experimental results of a case study are provided to verify the existence of such performance improvement, while the research challenges of this data-analytics-based prediction are presented and discussed.

Artificial Intelligence

Zhengchao Zhang,Meng Li,Xi Lin,Yinhai Wang

DOI: https://doi.org/10.1016/j.trc.2020.102870

2020-01-01

Abstract:With the rapid development of urbanization and modernization, it is increasingly crucial to sense network-wide traffic. Network-wide traffic volume information is of great benefit for traffic planning, government management and vehicle emissions control. However, it is difficult to install detectors on every intersection due to the expensive deployment and maintenance costs, and the insufficient sensor coverage across the network limits the direct availability of network-wide traffic flow information. Whereas, crowdsourcing floating car data with a high coverage rate are currently available, which creates an opportunity to address this problem. In this paper, we propose a novel methodology to estimate network-wide traffic flow, which incorporates flow records and crowdsourcing floating car data into a geometric matrix completion model. Furthermore, a spatial smoothing index based on the divergence is developed to measure the difficulty of volume estimation for each road segment. We conduct extensive experiments on both real-world and synthetic datasets. The results demonstrate that our approach consistently outperforms other benchmark models and that the proposed index is highly correlated to estimation accuracy.

Jing Chen,Mengqi Xu,Wenqiang Xu,Daping Li,Weimin Peng,Haitao Xu

DOI: https://doi.org/10.1109/tits.2023.3269794

IF: 8.5

2023-01-01

IEEE Transactions on Intelligent Transportation Systems

Abstract:Traffic flow prediction methods commonly rely on historical traffic data, such as traffic volume and speed, but may not be suitable for high-capacity expressways or during peak traffic hours. Furthermore, downstream flow can have significant impacts on traffic flow. To address these challenges, our study proposes a novel traffic flow prediction model, V-STF, which integrates visual methods to quantify macroscopic traffic flow indicators, as well as density features in temporal and flow feedback in spatio features. The contribution of our proposed model lies in its ability to improve prediction accuracy during non-periodic peak hours, by taking into account the impact of congested road conditions on traffic flow. Our experiments using the STREETS dataset demonstrate that V-STF outperforms state-of-the-art methods, especially in predicting sudden changes in traffic flow, resulting in more accurate predictions.

engineering, electrical & electronic,transportation science & technology, civil